, but it replaces incomplete sequences with the character ?.
I don't know if it is a recommended standard for invalid input but I
have seen this conversion as well in a couple of other applications,
e.g. Firefox.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
00 05 00 00 00 05 00 00 07 00 09 00
$ for a in `seq 1 20`; do php -r 'printf(%02x ,utf8_decode(chr(0xE0)));';
done
00 00 00 00 00 00 00 00 04 00 08 00 00 00 00 05 00 00 01 00
I don't think there is any reason for this behaviour. I'll file a bug.
--
- Peter Brodersen
--
PHP Internals - PHP
such as ? as well - but this is beside the point)
I'm not fond of the ? feature as well, but it is present in
utf8_decode() and other non-php applications with utf-8 conversion.
My guess is still that some standard recommends this conversion as a
possible fallback for error handling.
--
- Peter Brodersen
more difficult, and can lead to user confusion.
==
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
like to see php projects have to create different packages
with individual code for different types of os or distribution.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
+1
(sorry for the first post)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
more readable and natural. We're kind
of odd as a language in that sense i.e. array(...)
I think almost everyone here agreed it'd benefit them and maybe the ones
who don't would go through the same process I went through once they get
used to it J
Andi
--
- Peter Brodersen
--
PHP
of
bits does not add up to a number divisible by eight? Or is this
feature of md5 simply not relevant to anybody?
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
with stuff like this if it is possible to
change the charset at runtime?
I guess it is important to be aware of whether a function is affected
by different settings (and if these settings can be changed at
runtime) to conclude if a function really is deterministic at this
level.
--
- Peter Brodersen
with user input.
I'm not too fond of a function that begins with if* - it might
misdirect people to think it's a control structure.
(and now back to your original programme)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net
unbundling the safe_mode_exec_dir and
keeping that alive:
http://news.php.net/php.internals/20417
Is this still relevant? I like the idea much more than users should
maintain their own disabled_functions list to prevent current and new
exec functions.
--
- Peter Brodersen
--
PHP Internals - PHP
take a long time to do.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
the development of such a tool might be outside the scope of
usual php development. But if we want to change the behaviour pattern
of the users in the transitional phase it could be necessary.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http
one. Even if a developer would write (portable) PHP 6 only
code.
Of course, configurations could contain a lot of other obscure
settings that might have influence on the script but none as
widespread as the difference in magic_quotes settings.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime
the PHP 6 with unicode setting on or
off?.
I'm just worried that PHP 6 is the new NULL: PHP6 != PHP6 :-)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
be to get rid of delimiters and separate the flag into
its own argument, but it would be a hell of a BC break if the input
form suddently changed.
Nonetheless the current PCRE functions leads to confusion and
weirdness as long the perl syntax is mixed with php.
--
- Peter Brodersen
--
PHP
networked file system as non-local.
Mostly because many times there are no ways to identify them reliable
and the fact this is a perfectly valid usage that if disallowed by
default would break a large number of applications.
On 4-Nov-06, at 4:12 PM, Peter Brodersen wrote:
On Sat, 04 Nov 2006
/127.0.0.1 ?
Actually any smb server that is requested thorugh PHP's means of
fetching a resource (\\smbserver\...) instead of a device mount in the
operating system (e.g. Z:\ ...).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net
it against those attacks it would be helpful.
Would requests to a smbserver, e.g.
\\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It
seems like smbserver requests are regarded as part of the default
filesystem wrapper.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime
other.
HTTP_HOST could be tainted as well in some cases where a DNS entry and
ServerAlias of *.example.com exists.
An attacker could trick a user into visiting
www.%22%3EXSS.example.com which at least IE6 would accept as a valid
URL.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development
minutes) without resolving to keepalive-hacks
! Security handling should, where possible, be performed by the code.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
in a system with a high gc_maxlifetime than to keep a
session alive (e.g. having the page access a php resource every couple
of minutes using javascript).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
of doing it right users will
do it in a bad way.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
] ?
This thread is mainly about a safety net for one's own code. But
regarding restricting users, open_basedir is IMO useless if not backed
up by some other methods (like restricting exec functions).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http
-functions
requiring a lot of maintenance for end users.
At least Rasmus mentioned that he would appreciate being reminded of
this feature (of keeping an internal list of exec functions and still
use safe_mode_exec_dir - possibly under a more describing name)
--
- Peter Brodersen
--
PHP Internals
be
preserved, as recommended by Rasmus? This might be the exact time to
remind us later.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
(function names might exist but still
unusable), as mentioned in the documentation.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
in PHP6 (based on
the talks), but it is pretty much useless if not backed up by other
tools (disable_exec_functions, some_exec_dir_restriction, ...)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
for general setup.
(and once again, I agree that safe_mode is not safe, it is a poor
functionality as it suggests magic instead of easy understandable
features, it gives users headaches with UID matching)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit
.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
a lot of maintenance for end users.
If this really is best practice, why don't we just rename safe_mode to
disable_exec_functions (and maybe remove UID checks)? It would be
easier to maintain and easier to deploy - provided that this really is
the recommended setup.
--
- Peter Brodersen
--
PHP
. Personally I feel
it kind of redundant to specify the users document_root as their open_basedir
value (although other might want to allow one level up giving users a
possibility of putting variables out of web scope - this is besides the
point though).
--
- Peter Brodersen
--
PHP Internals - PHP
feel on the expose version number
issue if e.g. google would allow people to restrict their searches
based on header information as well.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
they
seriously would encourage people to disable version information so
much that they would change their default settings to reflect this.
I would agree with Markus. This is security by obscurity. The
automated attacks do happen anyway.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development
.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
. Even though they were meant
to ease a BC transition, you suddently can't be sure if your code runs
on any other servicer even if the x.y.z version is the same.
In some cases it could just result in Even Another Intial Ini-Check In
Your PHP Code.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime
/bug.php?id=34483 : Running a
PHP for 24 hours (under windows) is REALLY not supported or suggested.
It's definately nothing to do with PHP but your OS. (and Try this on
a real OS, like Linux)
Maybe this was what you were thinking of.
I can't see any reason for that statement, though.
--
- Peter
your browser at
http://pecl4win.php.net/ext.php/php_oci8.dll
AOL! I mean... great work! :-)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
/user with no control of his sysadm's settings?
Would there be any concerns for PHP users who would like their code to
work in different setups? (one with the old behaviour, one with the
new behaviour - both running the same 5.1.x version)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime
of applications will. The
fact date() now tries to be intelligent about it but fail is a real problem.
Just out of curiousity of the scope of this issue... where did the
string IDT come from in the first place?
Any specific distribution? Default OS setting?
--
- Peter Brodersen
--
PHP Internals - PHP
reduce the bogus bug submissions in
time.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
are when there are many open bugs and a nice developer
decides that he would spend the evening on reviewing/closing these
bugs instead of watching a good movie.
I guess my only real suggestion is that some of the template-answers
could be better worded.
--
- Peter Brodersen
--
PHP Internals - PHP
.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
. I just want to be
prepared if I ever have to review some code for the purpose of
migrating to PHP6.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
rely on (own
variables).
But all in all: very exciting. As mentioned, there really might be a
lot of work regarding the information and transitional help if all
these wishes come true.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http
of the references-fix, I suppose it's a case of DIYDDIYD.
I agree with Zeev regarding the importance of the wording in the
release notes.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
even in safe_mode/open_basedir-restrictions, these new
functions will have pretty small effect unless one works his way
entirely around the session functionality in the first place...
E.g.:
http://basedir.ter.dk/globall.php
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing
the
print_r(glob({/home/currentuser/,/etc/}*,GLOB_BRACE)) issue combined
with the glob file name disclosure issue)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hi,
On Mon, 14 Feb 2005 01:56:41 +0100, in php.internals [EMAIL PROTECTED] (Peter
Brodersen) wrote:
http://basedir.ter.dk/globeater.php
http://basedir.ter.dk/globeater.php?debug=1
http://basedir.ter.dk/globeater.phps
Is it really a-okay that a script in pure PHP under
safe_mode-restriction
sysadms and developers
of performing custom, individual workarounds.
Just my 0.02dkk - thanks for listening!
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
and
0xF7.
That's the nice thing about UTF-8 - no character with code points
above 128 will produce bytes where the uppermost bit is zero (0x00 to
0x7F)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
/mod_proxy.html#proxypreservehost
I miss it in Apache1 :) That feature is pushing me towards Apache2.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
access to the
entire system]
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
that it is present and part of the system -
for better and for worse.
By the way, since it's a myth, you might stop repeating the myth,
since no-one else bombastically claimed that Safe mode makes a PHP
installation safe :)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
with files, therefor
safe_mode open_basedir checks
* are required.
*/
.. but it only seems to regard storage of cookiefile and
ssl-certificate.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http
-php.php , but still no reply.
What's the next step for me (besides posting here)?
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
is disabled (and unimportant, so is magic_quotes_gpc).
--
- Peter Brodersen
(trying not to be too much of a party pooper :)
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
allow you to hijack that session, since you wouldn't have the original
session name (but only the hashed value).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
walking would be possible (as glob() returns false instead
of raising a warning if no file is matched) (2a)
- File names wouldn't be disclosed (2b)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
decision whether or not we would like PHP to
behave this way.
(I will resend the post to [EMAIL PROTECTED] later today if necessary)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
on warnings?
6. Is there any reason for users to be able to figure out almost any
file name on the system using glob() (which would require less work than
brute force guesses)?
Thanks for reading all of this - and thanks for the hard work developing
PHP :)
--
- Peter Brodersen
--
PHP Internals
62 matches
Mail list logo