Peter Conrad wrote:
Hi,
On Mon, Apr 03, 2006 at 11:06:01PM +0900, Moriyoshi Koizumi wrote:
While this is not part of the HTML / HTTP standards, major
browsers
around try to send such characters in the user input as HTML entities
that cannot
all be represented in the encoding of the origin
Moriyoshi Koizumi wrote:
Jasper Bryant-Greene wrote:
I very much doubt there are many applications at all containing code
like this. It is illogical to be decoding html entities from user
input. Therefore I would not call this a "very serious problem" and
certainly not a critical bug.
Not r
On 3/29/06, Jeff Rosowski <[EMAIL PROTECTED]> wrote:
> It also doesn't affect all versions of PHP. on 5.0.5, it returns \0
> followed by however many Ss you put after it. And your right you wouldn't
> trust user imput like that.
>
> ___
I get this beha
Jasper Bryant-Greene wrote:
Moriyoshi Koizumi wrote:
Jasper Bryant-Greene wrote:
I very much doubt there are many applications at all containing code
like this. It is illogical to be decoding html entities from user
input. Therefore I would not call this a "very serious problem" and
certainl
Jasper Bryant-Greene wrote:
Tõnu Samuel wrote:
Nice! I was really nervous already as I got bombed with e-mails and I
really did not knew much more than was discovered. Meanwhile I am
bit disappointed that we had nearly month such a bug in wild and
software distributors like SuSE in my cas
really did not knew much more than was discovered. Meanwhile I am bit
disappointed that we had nearly month such a bug in wild and software
distributors like SuSE in my case did not published patches. I think as
long enough time passed and I hope distributors maybe need to see it - I
publish e
I very much doubt there are many applications at all containing code
like this. It is illogical to be decoding html entities from user
input. Therefore I would not call this a "very serious problem" and
certainly not a critical bug.
Somewhat I agree. I suspected this may affect more function
Tõnu Samuel wrote:
Nice! I was really nervous already as I got bombed with e-mails and I
really did not knew much more than was discovered. Meanwhile I am bit
disappointed that we had nearly month such a bug in wild and software
distributors like SuSE in my case did not published patches. I
Hello,
just to stop this:
The bug is a binary safety issue in html_entity_decode. A function that
is not usually used on user input, because user input is usually not
expected in HTML format and then decoded. Even if the function is used
on user input it can only leak memory to a potential attack