On Thu, 30 Jun 2005, Kamesh Jayachandran wrote:
> Still have one small issue with it for NetWare.
> We decided to use autoconf based build for PHP-5.1 so we don't want to
> use config.nw.h(Soon will delete it from the source tree)
> This patch takes cares of it.
> http://www.ductape.net/~kameshj/e
Thanks Derick.
Still have one small issue with it for NetWare.
We decided to use autoconf based build for PHP-5.1 so we don't want to
use config.nw.h(Soon will delete it from the source tree)
This patch takes cares of it.
http://www.ductape.net/~kameshj/ext_date_config.m4.patch
With regards
Kamesh
Okay, I'm leaving for vacation in 7 hours. I'd like to bring the
'include' discussion to an end. There have been a lot of weak points
made, e.g. "Yeah, it's a problem; that's why we documented it".
Rather than re-dismiss them, I'll ignore them in favor of addressing
the strongest ones.
o This
Russell,
We got the point. Now please let internals@ continue to be productive and
focus on PHP development.
Sorry to be blunt but this thread is getting old and preventing us from
being productive.
Thanks,
Andi
At 12:58 AM 6/30/2005 -0400, Russell Nelson wrote:
Etienne Kneuss writes:
> Ru
Etienne Kneuss writes:
> Russell Nelson wrote:
>
> >And you're trying to tell me that PHP's 'include' doesn't have a problem??
> >
> The problem is not located on include, the problem is more general :
> "trusting user's data"
That's *also* a problem. Include's problem is a different one:
Hey,
Who is currently maintaining the ldap_ function set in PHP?
Guus
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.6/33 - Release Date: 28/06/2005
Sorry to break up the allow_url_fopen discussion but I think that thread is
getting a bit old already and definitely clogging up the mailing list.
(hint hint)
I'd like to start moving forward with the 5.1.0 release process. It seems
we are in quite good shape but as we have had many patches si
Russell Nelson wrote:
>And you're trying to tell me that PHP's 'include' doesn't have a problem??
>
>
>
The problem is not located on include, the problem is more general :
"trusting user's data" and PHP already provides tools to make it safe,
like file_exists(), htmlentities(), etc...
--
Etie
Makes sense and brings much better performance to PHP.
At 12:38 PM 6/28/2005 -0700, Michael Sisolak wrote:
Does this tripling of the size of zend_execute make sense? If it does
then it is what it is, but I just want to make sure that what's
happening here is what people expected.
--
PHP Inter
That's pretty accurate. Same happens on systems like SGI where you can
optimize with base addresses. It can allow you to speed up loading time if
you have a self contained app but partition it into DLLs.
At 10:56 AM 6/28/2005 -0400, Wez Furlong wrote:
It does things differently; it compiles th
Rasmus Lerdorf writes:
> Forget your Google searches and go look at actual vulnerability reports
> for the last 3 months.
Vulnerability reports are not a reasonable statistical sample. They
aren't random. Also, people who report vulnerabilities are likely to
stop reporting them if the maintain
Yasuo,
Isn't it possible to resolve this in the code directly?
At 09:11 AM 6/27/2005 +0200, Derick Rethans wrote:
On Mon, 27 Jun 2005, Yasuo Ohgaki wrote:
> Since release_sysvsem_sem has error message while releasing acquired
> semaphores (both PHP_4_4 and PHP_5_1), it may end up with semaphor
Al Baker writes:
> This thread's pretty much pointless - I recommend you read up on web
> security in general.
I understand web security. When I found out that somebody was
breaking into my system, I knew *exactly* how they were doing it:
through PHP. I turned out to be correct. PHP's reputat
hi,
I just wanted to say about 'include' ... er no actually
I have this little thing with constant() which I asked about
on php-generals and the response from a couple of regulars
suggest it might be a bug, or more correctly, an inconsistency.
Jason Barnett wrote also:
tested with PHP 5.0.5-dev
Russell Nelson wrote:
> Nelson Menezes writes:
> > The potential for inclusion of malicious code is, if
> > anything, a common oversight, not a design flaw.
>
> If it's a common oversight, then it *is* a design flaw.
>
> > 1. Create an INI_ALL variable that means something like "allow fopen
>
Russell Nelson wrote:
>Derick Rethans writes:
> > On Wed, 29 Jun 2005, Sara Golemon wrote:
>
> > > Only intrinsicly safe if you've read the manual page to know that
> > > badstring should have been null terminated.
>
>Oh, don't get me started on C's null-terminated strings!
>
> > Stop feeding the
Nelson Menezes writes:
> The potential for inclusion of malicious code is, if
> anything, a common oversight, not a design flaw.
If it's a common oversight, then it *is* a design flaw.
> 1. Create an INI_ALL variable that means something like "allow fopen
> wrappers in include/require" and de
Parameter validation is a general thing done for security, whether that
be if you're using a variable in an include, database credentials,
connecting to a web service, etc. You need to make sure that those
basic conditions have a highly controlled set of values, not only for
security but to make s
Russell Nelson wrote:
Derick Rethans writes:
> On Wed, 29 Jun 2005, Sara Golemon wrote:
> > Only intrinsicly safe if you've read the manual page to know that
> > badstring should have been null terminated.
Oh, don't get me started on C's null-terminated strings!
> Stop feeding the troll pl
Derick Rethans writes:
> On Wed, 29 Jun 2005, Sara Golemon wrote:
> > Only intrinsicly safe if you've read the manual page to know that
> > badstring should have been null terminated.
Oh, don't get me started on C's null-terminated strings!
> Stop feeding the troll please.
Public requests t
Guus Leeuw jr. writes:
> These programmers need to make sure that their program copes well with
> incorrect or harming input.
Your argument is ridiculous. Essentially you are saying that circular
saws should not come with a guard on the blade, and that circular saw
users should invent their own
Wez Furlong writes:
> I think the point is that we're not going to change include() any time
> soon,
Why not? It's still badly designed because it has hidden sharp edges.
--
--My blog is at blog.russnelson.com | If you want to find
Crynwr sells support for free software | PGPok |
Jani Taskinen writes:
> Please troll, do you go away if I close my eyes?
No, in fact, I don't. I'm not trolling. I'm pointing to factual
evidence that your replies cannot explain. Lots of people have said
"Oh, well, just turn off that feature, or tell your users not to use
it, or stop usi
On 6/29/05, Russell Nelson <[EMAIL PROTECTED]> wrote:
> If 'strchr' caused your CPU's fan to stop turning, should 1) a
> work-around be documented, or 2) the code fixed? If a bug in libjpeg
> allows a url_fopened image to contain invalid data that elevates
> privilege, should that be 1) a work-ar
On Wed, 29 Jun 2005, Kamesh Jayachandran wrote:
> #include this at the start of the file(ofcourse after the
> guard) solves the problem.
Should be fixed in CVS, please test.
regards,
Derick
--
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org
--
PHP Internals - PHP R
On Wed, 29 Jun 2005, Sara Golemon wrote:
> > Nope. Some functions are intrinsically safe, e.g. C's atol, or strtol.
> > It's all in the design, you see.
> >
> {
>char badstring[3] = { '1', '0', '0' };
>long not100 = atol(badstring);
> }
>
> Only intrinsicly safe if you've read the manual
Nope. Some functions are intrinsically safe, e.g. C's atol, or strtol.
It's all in the design, you see.
{
char badstring[3] = { '1', '0', '0' };
long not100 = atol(badstring);
}
Only intrinsicly safe if you've read the manual page to know that badstring
should have been null terminated.
[EMAIL PROTECTED] wrote:
Please troll, do you go away if I close my eyes?
That's not fair. Russell is providing strong arguments and rebuttals
for every point. You may not agree with his points, but what he's
doing is not trolling. This discussion seems to have strong backing
on both sides
On Wed, 29 Jun 2005, Sebastian Mendel wrote:
> [EMAIL PROTECTED] wrote:
> > Jani Taskinen <[EMAIL PROTECTED]> writes:
> >
> >> Please troll, do you go away if I close my eyes?
> >
> > That's not fair. Russell is providing strong arguments and rebuttals for
> > every point. You may not agre
[EMAIL PROTECTED] wrote:
> Jani Taskinen <[EMAIL PROTECTED]> writes:
>
>> Please troll, do you go away if I close my eyes?
>
> That's not fair. Russell is providing strong arguments and rebuttals for
> every point. You may not agree with his points, but what he's doing is not
> trolling. T
I think the point is that we're not going to change include() any time
soon, and that this thread is not a productive use of everyones time.
--Wez.
On 6/29/05, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Jani Taskinen <[EMAIL PROTECTED]> writes:
>
> > Please troll, do you go away if I clo
Hi Jani,
Some time in October end 2004 I was asking for allocating 2 switches for
NetWare php cli to handle NetWare specific screen issues.
Subject of the original eMail is
"Can someone allocate 2 command line switches for php cli on NetWare?"
I got a good suggestion from the community to write a
!!! 2 ALL FROM PHP-FREELANCERS.COM/RELATED !!!
!!! URGENT !!! HELLO ALL, WE ARE "SKIV" DEVELOPER ON SCRIPTLANCE.COM !!!
URGENT !!!
!!! URGENT !!! WE ARE SELLING OUR COMPLETED COMMERCIAL PROJECTS DATABASE.!!!
URGENT !!!
!!! PLEASE READ CAREFULLY, long email,
Jani Taskinen <[EMAIL PROTECTED]> writes:
> Please troll, do you go away if I close my eyes?
That's not fair. Russell is providing strong arguments and rebuttals for
every point. You may not agree with his points, but what he's doing is not
trolling. This discussion seems to have strong ba
Hi Derick,
Who will define HAVE_INT32_T?
I could see ./configure detects it and defines it in main/php_config.h.
But How ext/date/lib/timelib_structs.h know about this?
I could not see ext/date/lib/timelib_structs.h including
main/php_config.h.
#ifndef HAVE_INT32_T
# if SIZEOF_INT == 4
typedef int
On Wed, 29 Jun 2005 [EMAIL PROTECTED] wrote:
ID: 12284
Updated by: [EMAIL PROTECTED]
Reported By: andrew at andrew dot org
-Status: Open
+Status: Closed
Bug Type: Feature/Change Request
Operating System: any
PHP Version: 4.0.6
New
On Wed, 29 Jun 2005 [EMAIL PROTECTED] wrote:
> ID: 12284
> Updated by: [EMAIL PROTECTED]
> Reported By: andrew at andrew dot org
> -Status: Open
> +Status: Closed
> Bug Type: Feature/Change Request
> Operating System: any
> PHP Version:
> -Original Message-
> From: Russell Nelson [mailto:[EMAIL PROTECTED]
> Sent: mercredi 29 juin 2005 08:09
>
>
> If people do stupid things with a computer, is it their fault or the
> computer's fault? Personally, I always think it's the computer's
> fault. So, yes, if people end up doin
38 matches
Mail list logo