Hi Arpad,
On Tue, Aug 6, 2013 at 4:33 AM, Arpad Ray wrote:
> Hi Stas,
>
> On Mon, Aug 5, 2013 at 8:23 PM, Stas Malyshev wrote:
>
>> > I'm not going to repeat my arguments against the committed solution yet
>> > again, but I really think we need a better one.
>>
>> You are free to propose a bette
Hi Arpad,
On Tue, Aug 6, 2013 at 4:17 AM, Arpad Ray wrote:
> On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki wrote:
>
>> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray wrote:
>>
>>> I think there really should be a vote.
>>
>>
>> This means you don't really understand the true risk of this
>> vulnera
Hi Stas,
On Mon, Aug 5, 2013 at 8:23 PM, Stas Malyshev wrote:
> > I'm not going to repeat my arguments against the committed solution yet
> > again, but I really think we need a better one.
>
> You are free to propose a better one. Since this topic is being
> discussed for almost 2 years and nobo
Hi!
> I'm not going to repeat my arguments against the committed solution yet
> again, but I really think we need a better one.
You are free to propose a better one. Since this topic is being
discussed for almost 2 years and nobody came with anything better, as
far as I know, I think it is reason
Hi Yasuo,
On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki wrote:
> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray wrote:
>
>> I think there really should be a vote.
>
>
> This means you don't really understand the true risk of this vulnerability.
> It allows permanent session ID fixation. This is CVE
Hi Arpad,
On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray wrote:
> I think there really should be a vote.
This means you don't really understand the true risk of this vulnerability.
It allows permanent session ID fixation. This is CVE assigned vulnerability.
Details are explained in the RFC and I d
Hi Yasuo,
On Mon, Aug 5, 2013 at 11:38 AM, Yasuo Ohgaki wrote:
> On Mon, Aug 5, 2013 at 7:26 PM, Arpad Ray wrote:
>
>> Could you point me to where this was decided please? I don't see a vote
>> or anything like a consensus in the previous threads.
>
>
> There isn't vote for this RFC since this
Hi Arpad,
On Mon, Aug 5, 2013 at 7:26 PM, Arpad Ray wrote:
> Could you point me to where this was decided please? I don't see a vote or
> anything like a consensus in the previous threads.
There isn't vote for this RFC since this is security.
It's also a consensus.
The main thread is this. It
Hi Yasuo,
On Mon, Aug 5, 2013 at 11:10 AM, Yasuo Ohgaki wrote:
>
> On Mon, Aug 5, 2013 at 7:05 PM, Arpad Ray wrote:
>
>> I'm not against the idea in principle but still think having a security
>> feature which just quietly fails if you're not using one of two modified
>> handlers is really not g
Hi Arpad,
On Mon, Aug 5, 2013 at 7:05 PM, Arpad Ray wrote:
> I'm not against the idea in principle but still think having a security
> feature which just quietly fails if you're not using one of two modified
> handlers is really not good.
>
> I also think there's no great rush to add this, becau
Hi Yasuo,
On Mon, Aug 5, 2013 at 10:50 AM, Yasuo Ohgaki wrote:
> On Mon, Aug 5, 2013 at 6:22 PM, Arpad Ray wrote:
>
>> I thought we were in agreement about doing this properly in PHP.next? My
>> arguments against this version of the patch still stand:
>
>
> We had long discussion and decided to
Hi Arpad,
On Mon, Aug 5, 2013 at 6:22 PM, Arpad Ray wrote:
> I thought we were in agreement about doing this properly in PHP.next? My
> arguments against this version of the patch still stand:
We had long discussion and decided to apply maintained branches
as security enhancement more than a y
Hi,
On Mon, Aug 5, 2013 at 2:01 AM, Yasuo Ohgaki wrote:
> Thank you for noticing crash. Data can be null, so the fix is OK.
> Removing the limitation that prohibits setting session ID is fine for me,
> too.
>
> Please, apply your patch.
I thought we were in agreement about doing this properly
Hi Stas,
On Mon, Aug 5, 2013 at 9:45 AM, Stas Malyshev wrote:
> >> https://github.com/php/php-src/pull/368
> >> https://github.com/php/php-src/pull/367
> >> https://github.com/php/php-src/pull/366
>
> I've amended your patch slightly:
> https://github.com/php/php-src/pull/401
>
> and it looks fin
Hi!
>> https://github.com/php/php-src/pull/368
>> https://github.com/php/php-src/pull/367
>> https://github.com/php/php-src/pull/366
I've amended your patch slightly:
https://github.com/php/php-src/pull/401
and it looks fine to me now. What do you think, is it OK with you?
--
Stanislav Malyshe
Hi!
> Sorry for the long delay, I've sent pull requests
>
> https://github.com/php/php-src/pull/368
> https://github.com/php/php-src/pull/367
> https://github.com/php/php-src/pull/366
I'm looking at the pulls, and I see these issues:
1. session_id is still banned in strict mode. Can we not ban
Hi!
> Sorry for the delay.
> I've finally updated the strict session patch.
I'll review it ASAP, probably on the weekend. Unfortunately, we've
missed the window for 5.5 API changes, if there's any API change, but we
can still do it in master.
--
Stanislav Malyshev, Software Architect
SugarCRM:
Hi Arpad,
2013/6/27 Arpad Ray
> I see the strict mode check is now implemented in the handlers and not
> session.c, presumably to keep ABI, but this means code is duplicated and
> the setting only actually works if the handler supports it. It's
> unfortunate timing since 5.5 has just gone, but I
On Thu, Jun 27, 2013 at 1:36 AM, Yasuo Ohgaki wrote:
> Hi,
>
> Sorry for the long delay, I've sent pull requests
>
> https://github.com/php/php-src/pull/368
> https://github.com/php/php-src/pull/367
> https://github.com/php/php-src/pull/366
>
>
Hi,
I see the strict mode check is now implemented
Hi,
Sorry for the long delay, I've sent pull requests
https://github.com/php/php-src/pull/368
https://github.com/php/php-src/pull/367
https://github.com/php/php-src/pull/366
Thank you for your time.
--
Yasuo Ohgaki
yohg...@ohgaki.net
2012/12/24 Yasuo Ohgaki
> Hi stats and others,
>
> Sorry
Hi stats and others,
Sorry for the delay.
I've finally updated the strict session patch.
Following diff is against PHP-5.3, but 5.4 and others will be mostly the same.
https://github.com/yohgaki/php-src/commit/42dcd8ef7cd2f9f2071b16586822dadd647c96ef
I was promised to create separate patch for
Hi,
2012/8/27 Stas Malyshev :
> Hi!
>
>> It seems I've already added collision detection when I
>> last updated :)
>>
>> It tries to generate new session ID a few times and
>> if it fails, it does not initialize session.
>
> It'd be nice if we could keep it separate. Could you create a pull that
>
Hi!
> It seems I've already added collision detection when I
> last updated :)
>
> It tries to generate new session ID a few times and
> if it fails, it does not initialize session.
It'd be nice if we could keep it separate. Could you create a pull that
includes only the strict session functiona
Hi,
2012/8/27 Stas Malyshev :
> Hi!
>
> Thank you for the links!
>
>> master
>> https://gist.github.com/1379668
>>
>> 5.4
>> https://gist.github.com/2224196
>>
>> 5.3
>> https://gist.github.com/2224360
>
> I think patch of this magnitude is not a good idea for 5.3. As for the
> rest, it'd be much
Hi,
2012/8/27 Yasuo Ohgaki :
> Hi,
>
> 2012/8/26 Stas Malyshev :
>> Hi!
>>
>>> What's the status of session adoption patch?
>>> I've created patches for all 3 versions and I think Stats
>>> is going to merge it to master and PHP 5.4.
>>
>> As far as I remember there were some things that needed to
Hi!
Thank you for the links!
> master
> https://gist.github.com/1379668
>
> 5.4
> https://gist.github.com/2224196
>
> 5.3
> https://gist.github.com/2224360
I think patch of this magnitude is not a good idea for 5.3. As for the
rest, it'd be much easier to track and comment on if you could crea
Hi,
2012/8/26 Stas Malyshev :
> Hi!
>
>> What's the status of session adoption patch?
>> I've created patches for all 3 versions and I think Stats
>> is going to merge it to master and PHP 5.4.
>
> As far as I remember there were some things that needed to be
> refactored/changed and I didn't see
Hi,
2012/8/26 Stas Malyshev :
> Hi!
>
>> I know session ID collision will not happen most likely, but
>> there are few people who worries collision. We can check
>> session ID collision when it is generated.
>
> You mean two randomly generated session IDs colliding? I think the
> probability of it
Hi!
> I know session ID collision will not happen most likely, but
> there are few people who worries collision. We can check
> session ID collision when it is generated.
You mean two randomly generated session IDs colliding? I think the
probability of it is pretty low. I mean it'd take PHP's ran
Hi!
> What's the status of session adoption patch?
> I've created patches for all 3 versions and I think Stats
> is going to merge it to master and PHP 5.4.
As far as I remember there were some things that needed to be
refactored/changed and I didn't see the updates since then, but if you
could p
2012/8/26 Ferenc Kovacs :
>
>
> On Sat, Aug 25, 2012 at 4:47 AM, Yasuo Ohgaki wrote:
>>
>> Hi,
>>
>> I was willing to add collision detection to session module
>> after session adoption patch is merged.
>>
>> What's the status of session adoption patch?
>> I've created patches for all 3 versions a
On Sat, Aug 25, 2012 at 4:47 AM, Yasuo Ohgaki wrote:
> Hi,
>
> I was willing to add collision detection to session module
> after session adoption patch is merged.
>
> What's the status of session adoption patch?
> I've created patches for all 3 versions and I think Stats
> is going to merge it t
Hi,
I was willing to add collision detection to session module
after session adoption patch is merged.
What's the status of session adoption patch?
I've created patches for all 3 versions and I think Stats
is going to merge it to master and PHP 5.4.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
> Hi Rasmus,
>
> Many thanks for the information.
>
> It would be great if this information can be added to the docs:
>
> http://www.php.net/manual/en/session.configuration.php#ini.session.entropy-file
>
>
>
Please open a documentation bug at https://bugs.php.net/ for this so
that we have a recor
Hi Rasmus,
Many thanks for the information.
It would be great if this information can be added to the docs:
http://www.php.net/manual/en/session.configuration.php#ini.session.entropy-file
__
Raymond
On Thu, Aug 23, 2012 at 10:03 AM, Rasmus Lerdorf wrote:
> On 08/22/2012 09:48 PM, Raymond I
On 08/22/2012 09:48 PM, Raymond Irving wrote:
> Hello Everyone,
>
> I've been reading that it's possible to encounter session id collisions
> with the default php configuration. It's also been said that PHP utilizes a
> cryptographically weak random number generator to
> produce session ID informa
Hello Everyone,
I've been reading that it's possible to encounter session id collisions
with the default php configuration. It's also been said that PHP utilizes a
cryptographically weak random number generator to
produce session ID information.
I know it's possible to change the hash function a
37 matches
Mail list logo
