Re: [PHP-DEV] [PATCH] Bug #43896 htmlspecialchars returns empty stringon invalid unicode sequence

2008-01-28 Thread Peter Brodersen
, but it replaces incomplete sequences with the character ?. I don't know if it is a recommended standard for invalid input but I have seen this conversion as well in a couple of other applications, e.g. Firefox. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List

Re: [PHP-DEV] [PATCH] Bug #43896 htmlspecialchars returns empty stringoninvalid unicode sequence

2008-01-28 Thread Peter Brodersen
00 05 00 00 00 05 00 00 07 00 09 00 $ for a in `seq 1 20`; do php -r 'printf(%02x ,utf8_decode(chr(0xE0)));'; done 00 00 00 00 00 00 00 00 04 00 08 00 00 00 00 05 00 00 01 00 I don't think there is any reason for this behaviour. I'll file a bug. -- - Peter Brodersen -- PHP Internals - PHP

Re: [PHP-DEV] [PATCH] Bug #43896 htmlspecialchars returns empty stringoninvalid unicode sequence

2008-01-28 Thread Peter Brodersen
such as ? as well - but this is beside the point) I'm not fond of the ? feature as well, but it is present in utf8_decode() and other non-php applications with utf-8 conversion. My guess is still that some standard recommends this conversion as a possible fallback for error handling. -- - Peter Brodersen

Re: [PHP-DEV] [PATCH] Bug #43896 htmlspecialchars returns empty stringoninvalid unicode sequence

2008-01-28 Thread Peter Brodersen
more difficult, and can lead to user confusion. == -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PATCH] date/timelib: use system timezone database

2008-01-11 Thread Peter Brodersen
like to see php projects have to create different packages with individual code for different types of os or distribution. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: Array syntax []

2008-01-11 Thread Peter Brodersen
+1 (sorry for the first post) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: Array syntax []

2008-01-11 Thread Peter Brodersen
more readable and natural. We're kind of odd as a language in that sense i.e. array(...) I think almost everyone here agreed it'd benefit them and maybe the ones who don't would go through the same process I went through once they get used to it J Andi -- - Peter Brodersen -- PHP

[PHP-DEV] Re: faster public domain MD5 implementation

2007-12-09 Thread Peter Brodersen
of bits does not add up to a number divisible by eight? Or is this feature of md5 simply not relevant to anybody? -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: RFC: mark functions as const for possible optimizations

2007-09-15 Thread Peter Brodersen
with stuff like this if it is possible to change the charset at runtime? I guess it is important to be aware of whether a function is affected by different settings (and if these settings can be changed at runtime) to conclude if a function really is deterministic at this level. -- - Peter Brodersen

Re: [PHP-DEV] [PATCH] array_get()

2007-09-13 Thread Peter Brodersen
with user input. I'm not too fond of a function that begins with if* - it might misdirect people to think it's a control structure. (and now back to your original programme) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-09-02 Thread Peter Brodersen
unbundling the safe_mode_exec_dir and keeping that alive: http://news.php.net/php.internals/20417 Is this still relevant? I like the idea much more than users should maintain their own disabled_functions list to prevent current and new exec functions. -- - Peter Brodersen -- PHP Internals - PHP

[PHP-DEV] Re: POSIX regex

2007-07-16 Thread Peter Brodersen
take a long time to do. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] RIP PHP 4?

2007-07-09 Thread Peter Brodersen
the development of such a tool might be outside the scope of usual php development. But if we want to change the behaviour pattern of the users in the transitional phase it could be necessary. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http

Re: [PHP-DEV] What is the use of unicode.semantics in PHP 6?

2007-06-19 Thread Peter Brodersen
one. Even if a developer would write (portable) PHP 6 only code. Of course, configurations could contain a lot of other obscure settings that might have influence on the script but none as widespread as the difference in magic_quotes settings. -- - Peter Brodersen -- PHP Internals - PHP Runtime

Re: [PHP-DEV] What is the use of unicode.semantics in PHP 6?

2007-06-19 Thread Peter Brodersen
the PHP 6 with unicode setting on or off?. I'm just worried that PHP 6 is the new NULL: PHP6 != PHP6 :-) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: [PHP-CVS] cvs: php-src(PHP_5_2) / run-tests.php

2007-02-09 Thread Peter Brodersen
be to get rid of delimiters and separate the flag into its own argument, but it would be a hell of a BC break if the input form suddently changed. Nonetheless the current PCRE functions leads to confusion and weirdness as long the perl syntax is mixed with php. -- - Peter Brodersen -- PHP

Re: [PHP-DEV] allow_url_include and php:/data:

2006-11-05 Thread Peter Brodersen
networked file system as non-local. Mostly because many times there are no ways to identify them reliable and the fact this is a perfectly valid usage that if disallowed by default would break a large number of applications. On 4-Nov-06, at 4:12 PM, Peter Brodersen wrote: On Sat, 04 Nov 2006

Re: [PHP-DEV] allow_url_include and php:/data:

2006-11-05 Thread Peter Brodersen
/127.0.0.1 ? Actually any smb server that is requested thorugh PHP's means of fetching a resource (\\smbserver\...) instead of a device mount in the operating system (e.g. Z:\ ...). -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net

Re: [PHP-DEV] allow_url_include and php:/data:

2006-11-04 Thread Peter Brodersen
it against those attacks it would be helpful. Would requests to a smbserver, e.g. \\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It seems like smbserver requests are regarded as part of the default filesystem wrapper. -- - Peter Brodersen -- PHP Internals - PHP Runtime

Re: [PHP-DEV] PHP 5.2.0 release with broken input filters

2006-10-23 Thread Peter Brodersen
other. HTTP_HOST could be tainted as well in some cases where a DNS entry and ServerAlias of *.example.com exists. An attacker could trick a user into visiting www.%22%3EXSS.example.com which at least IE6 would accept as a valid URL. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development

Re: [PHP-DEV] session.gc_maxlifetime default value

2006-08-30 Thread Peter Brodersen
minutes) without resolving to keepalive-hacks ! Security handling should, where possible, be performed by the code. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] session.gc_maxlifetime default value

2006-08-21 Thread Peter Brodersen
in a system with a high gc_maxlifetime than to keep a session alive (e.g. having the page access a php resource every couple of minutes using javascript). -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Passing functions to function by reference

2006-04-27 Thread Peter Brodersen
of doing it right users will do it in a bad way. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] open_basedir_for_include

2006-03-26 Thread Peter Brodersen
] ? This thread is mainly about a safety net for one's own code. But regarding restricting users, open_basedir is IMO useless if not backed up by some other methods (like restricting exec functions). -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http

Re: [PHP-DEV] open_basedir_for_include

2006-03-26 Thread Peter Brodersen
-functions requiring a lot of maintenance for end users. At least Rasmus mentioned that he would appreciate being reminded of this feature (of keeping an internal list of exec functions and still use safe_mode_exec_dir - possibly under a more describing name) -- - Peter Brodersen -- PHP Internals

[PHP-DEV] Re: Nuking safe_mode

2006-03-09 Thread Peter Brodersen
be preserved, as recommended by Rasmus? This might be the exact time to remind us later. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] __call overload detection

2006-01-04 Thread Peter Brodersen
(function names might exist but still unusable), as mentioned in the documentation. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: PDM Meeting Notes

2005-11-26 Thread Peter Brodersen
in PHP6 (based on the talks), but it is pretty much useless if not backed up by other tools (disable_exec_functions, some_exec_dir_restriction, ...) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: PDM Meeting Notes

2005-11-26 Thread Peter Brodersen
. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: PDM Meeting Notes

2005-11-25 Thread Peter Brodersen
for general setup. (and once again, I agree that safe_mode is not safe, it is a poor functionality as it suggests magic instead of easy understandable features, it gives users headaches with UID matching) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit

Re: [PHP-DEV] Re: PDM Meeting Notes

2005-11-25 Thread Peter Brodersen
. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: PDM Meeting Notes

2005-11-25 Thread Peter Brodersen
a lot of maintenance for end users. If this really is best practice, why don't we just rename safe_mode to disable_exec_functions (and maybe remove UID checks)? It would be easier to maintain and easier to deploy - provided that this really is the recommended setup. -- - Peter Brodersen -- PHP

Re: [PHP-DEV] Re: PDM Meeting Notes

2005-11-24 Thread Peter Brodersen
. Personally I feel it kind of redundant to specify the users document_root as their open_basedir value (although other might want to allow one level up giving users a possibility of putting variables out of web scope - this is besides the point though). -- - Peter Brodersen -- PHP Internals - PHP

[PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Peter Brodersen
feel on the expose version number issue if e.g. google would allow people to restrict their searches based on header information as well. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Peter Brodersen
they seriously would encourage people to disable version information so much that they would change their default settings to reflect this. I would agree with Markus. This is security by obscurity. The automated attacks do happen anyway. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development

Re: [PHP-DEV] Unicode Implementation

2005-10-10 Thread Peter Brodersen
. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] $ref = $this;

2005-10-06 Thread Peter Brodersen
. Even though they were meant to ease a BC transition, you suddently can't be sure if your code runs on any other servicer even if the x.y.z version is the same. In some cases it could just result in Even Another Intial Ini-Check In Your PHP Code. -- - Peter Brodersen -- PHP Internals - PHP Runtime

[PHP-DEV] Re: CLI in PHP6

2005-10-06 Thread Peter Brodersen
/bug.php?id=34483 : Running a PHP for 24 hours (under windows) is REALLY not supported or suggested. It's definately nothing to do with PHP but your OS. (and Try this on a real OS, like Linux) Maybe this was what you were thinking of. I can't see any reason for that statement, though. -- - Peter

[PHP-DEV] Re: New site: http://pecl4win.php.net/

2005-09-29 Thread Peter Brodersen
your browser at http://pecl4win.php.net/ext.php/php_oci8.dll AOL! I mean... great work! :-) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] timezones date() breakage

2005-09-29 Thread Peter Brodersen
/user with no control of his sysadm's settings? Would there be any concerns for PHP users who would like their code to work in different setups? (one with the old behaviour, one with the new behaviour - both running the same 5.1.x version) -- - Peter Brodersen -- PHP Internals - PHP Runtime

Re: [PHP-DEV] timezones date() breakage

2005-09-27 Thread Peter Brodersen
of applications will. The fact date() now tries to be intelligent about it but fail is a real problem. Just out of curiousity of the scope of this issue... where did the string IDT come from in the first place? Any specific distribution? Default OS setting? -- - Peter Brodersen -- PHP Internals - PHP

Re: [PHP-DEV] Re: Bogusing bot (Was: [PHP-DEV] Reference handlingchange and PHP4.4.0)

2005-09-19 Thread Peter Brodersen
reduce the bogus bug submissions in time. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: Bogusing bot (Was: [PHP-DEV] Reference handling change and PHP4.4.0)

2005-09-15 Thread Peter Brodersen
are when there are many open bugs and a nice developer decides that he would spend the evening on reviewing/closing these bugs instead of watching a good movie. I guess my only real suggestion is that some of the template-answers could be better worded. -- - Peter Brodersen -- PHP Internals - PHP

Re: [PHP-DEV] Re: glob to take array as an arg

2005-08-31 Thread Peter Brodersen
. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: PHP Unicode support design document

2005-08-16 Thread Peter Brodersen
. I just want to be prepared if I ever have to review some code for the purpose of migrating to PHP6. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: PHP 6.0 Wishlist

2005-08-13 Thread Peter Brodersen
rely on (own variables). But all in all: very exciting. As mentioned, there really might be a lot of work regarding the information and transitional help if all these wishes come true. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http

Re: [PHP-DEV] Re: References Problem Patch

2005-05-30 Thread Peter Brodersen
of the references-fix, I suppose it's a case of DIYDDIYD. I agree with Zeev regarding the importance of the wording in the release notes. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PATCH] Modifications for ext/session/

2005-04-22 Thread Peter Brodersen
even in safe_mode/open_basedir-restrictions, these new functions will have pretty small effect unless one works his way entirely around the session functionality in the first place... E.g.: http://basedir.ter.dk/globall.php -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing

Re: [PHP-DEV] Should I report this bug/exploit?

2005-04-04 Thread Peter Brodersen
the print_r(glob({/home/currentuser/,/etc/}*,GLOB_BRACE)) issue combined with the glob file name disclosure issue) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: How to help? (Bug #28932 - glob-error-harvesting code)

2005-02-20 Thread Peter Brodersen
Hi, On Mon, 14 Feb 2005 01:56:41 +0100, in php.internals [EMAIL PROTECTED] (Peter Brodersen) wrote: http://basedir.ter.dk/globeater.php http://basedir.ter.dk/globeater.php?debug=1 http://basedir.ter.dk/globeater.phps Is it really a-okay that a script in pure PHP under safe_mode-restriction

[PHP-DEV] How to help? (Bug #28932 - glob-error-harvesting code)

2005-02-13 Thread Peter Brodersen
sysadms and developers of performing custom, individual workarounds. Just my 0.02dkk - thanks for listening! -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP 5.1

2005-02-01 Thread Peter Brodersen
and 0xF7. That's the nice thing about UTF-8 - no character with code points above 128 will produce bytes where the uppermost bit is zero (0x00 to 0x7F) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Why we don’t like PHP /

2004-12-22 Thread Peter Brodersen
/mod_proxy.html#proxypreservehost I miss it in Apache1 :) That feature is pushing me towards Apache2. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Why we don’t like PHP /

2004-12-21 Thread Peter Brodersen
access to the entire system] -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] curl_init() is bypassing safe_mode open_basedir

2004-10-29 Thread Peter Brodersen
that it is present and part of the system - for better and for worse. By the way, since it's a myth, you might stop repeating the myth, since no-one else bombastically claimed that Safe mode makes a PHP installation safe :) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List

[PHP-DEV] Re: [Fwd: [PHP-NOTES] note 46955 added to function.curl-init]

2004-10-28 Thread Peter Brodersen
with files, therefor safe_mode open_basedir checks * are required. */ .. but it only seems to regard storage of cookiefile and ssl-certificate. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http

[PHP-DEV] cvs account request - phpdoc-da

2004-10-05 Thread Peter Brodersen
-php.php , but still no reply. What's the next step for me (besides posting here)? -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Behaviour of preg_replace with /e

2004-08-06 Thread Peter Brodersen
is disabled (and unimportant, so is magic_quotes_gpc). -- - Peter Brodersen (trying not to be too much of a party pooper :) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: Bugreports - is it worth it? (or: glob() disclosing file names with open_basedir and safe_mode-restriction)

2004-07-26 Thread Peter Brodersen
allow you to hijack that session, since you wouldn't have the original session name (but only the hashed value). -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Bugreports - is it worth it? (or: glob() disclosing file names with open_basedir and safe_mode-restriction)

2004-07-25 Thread Peter Brodersen
walking would be possible (as glob() returns false instead of raising a warning if no file is matched) (2a) - File names wouldn't be disclosed (2b) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: A couple of potential security issues with sessions and glob() in safe_mode

2004-07-01 Thread Peter Brodersen
decision whether or not we would like PHP to behave this way. (I will resend the post to [EMAIL PROTECTED] later today if necessary) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] A couple of potential security issues with sessions and glob() in safe_mode

2004-06-30 Thread Peter Brodersen
on warnings? 6. Is there any reason for users to be able to figure out almost any file name on the system using glob() (which would require less work than brute force guesses)? Thanks for reading all of this - and thanks for the hard work developing PHP :) -- - Peter Brodersen -- PHP Internals