[PHP-DEV] DIME support class added

I added Net_DIME today to PEAR, it's a rough implementation of DIME. It's quite unfinished/undocumented and not all the spec is in place on it, but I thought I'd mention it since there's a few things I'd like to do it it, and if anyone wants to jump in that would be very cool. I haven't teste

Re: [PHP-DEV] [PATCH] Fix bundle compilation on Darwin for Apache 2.0

On Mon, May 13, 2002 at 09:04:36AM +0300, Marko Karppinen wrote: > I have been quite happy to have finally got rid of libtool on our links, > however! I'd much prefer committing the rest of your patch and waiting for > the first bug report about libtool-specific dependencies. > > The problem is t

Re: [PHP-DEV] [PATCH] Fix bundle compilation on Darwin for Apache2.0

> This patch does two things that should only be Darwin specific: > - Call apr-config and apu-config to determine the link information > for the requisite libraries so that they can be self-contained. > - Modifies the libphp4.bundle target to allow linking with libtool. > Since ap{ru}-config *may*

Re: [PHP-DEV] Safe Mode

On Mon, 2002-05-13 at 00:41, Ilia A. wrote: > > disable_functions = sleep > > Ah but you forgot usleep, and flock() and socket_set_limit etc... > Soon enough you'll disable every function. Not likely, and I wouldn't disable every single function. You complained about the ability, I provided you

Re: [PHP-DEV] [PATCH] Prefer glibtool over libtool (resend)

> (This is a resend of an earlier patch.) > > It switches to preferring glibtool over libtool so that we can > correctly run buildconf on Darwin. Since Darwin comes with a libtool > but not the GNU libtool, we should try glibtool first. Since libtool > exists, we don't look for glibtool and the

Re: [PHP-DEV] Safe Mode

> disable_functions = sleep Ah but you forgot usleep, and flock() and socket_set_limit etc... Soon enough you'll disable every function. And when you do, I'll still be able to deadlock a PHP process by making it excute a query on a locked SQL table, thus end up waiting forever for the lock to

[PHP-DEV] [PATCH] Prefer glibtool over libtool (resend)

(This is a resend of an earlier patch.) It switches to preferring glibtool over libtool so that we can correctly run buildconf on Darwin. Since Darwin comes with a libtool but not the GNU libtool, we should try glibtool first. Since libtool exists, we don't look for glibtool and then when we tr

[PHP-DEV] [PATCH] Fix bundle compilation on Darwin for Apache 2.0

This patch adds support for Darwin bundles for the apache2filter module. I brought up extending apxs to allow building self-contained libraries on the dev@httpd lists to no answer. Since Darwin is a special case that requires self-contained libraries (unless using a flat namespace), I don't thin

Re: [PHP-DEV] Safe Mode

On Sun, 2002-05-12 at 23:38, Ilia A. wrote: > > Really, what is that line? > > sleep(1000); > > If you insist on being creative you can use file locking or sockets to get the > process in to un-interuptible sleep. > > > I would take a bet that it probably has > > nothing to do with safe m

Re: [PHP-DEV] Safe Mode

> Really, what is that line? sleep(1000); If you insist on being creative you can use file locking or sockets to get the process in to un-interuptible sleep. > I would take a bet that it probably has > nothing to do with safe mode, and would work regardless of it being in > the language..

Re: [PHP-DEV] Safe Mode

On Sun, 2002-05-12 at 22:46, Ilia A. wrote: > > However, quite frankly, this is a lame attack, because all it will do is > > consume file descriptors for only the CHILD process the script is > > running in. The script will then hit the fd limit of the child process > > (most systems around 255 is

Re: [PHP-DEV] Safe Mode

> However, quite frankly, this is a lame attack, because all it will do is > consume file descriptors for only the CHILD process the script is > running in. The script will then hit the fd limit of the child process > (most systems around 255 is the default) This will not hurt the process, > becau

Re: [PHP-DEV] Safe Mode

> while(1) fopen(rand(), "w"); > > After a few seconds depending on system speed system will run out of file > pointers. I am sure you can see how that would be BAD. You are _extremely_ incorrect. The previously mentioned code would open 1 file descriptor repeatedly until the script hit max ex

Re: [PHP-DEV] PATCH - improvements for imap_headerinfo() (fwd)

On Mon, May 13, 2002 at 12:35:12AM +0300, Jani Taskinen wrote: Reviewed and committed. - Jon > >Can you check this patch too? :) > >--Jani > > -- Forwarded message -- > Date: 24 Apr 2002 15:02:45 -0400 > From: Adam Kauffman <[EMAIL PROTECTED]> > To: Jani Taskinen <

Re: [PHP-DEV] Safe Mode

> > 2. Pitch in and get Apache 2's perchild mpm up to snuff. There are > >all sorts of other issues associated with this option though, like > >needing to make sure all the stuff we link against is threadsafe. > > Actually this isn't as bad as it sounds. I've been doing some of the > work

Re: [PHP-DEV] Safe Mode

FastCGI can provide the security needed in shared environments, without loosing all the performance. I don't beleive it is fast as direct server plugins, but there are other benefits...such as running PHP single threaded to avoid thread issues. It would be nice to see it become a standard co

Re: [PHP-DEV] Safe Mode

On Sun, May 12, 2002 at 02:52:24PM -0700, Rasmus Lerdorf wrote: ... > 2. Pitch in and get Apache 2's perchild mpm up to snuff. There are >all sorts of other issues associated with this option though, like >needing to make sure all the stuff we link against is threadsafe. Actually this is

[PHP-DEV] Session question/bug?

I was looking at the functionality of session_unset. Currently if register globals is on it will get rid of all variables and it also clears out PS(http_session_vars).. should it also get rid of PS(vars)? I have a script that changes the session id a few times thruought the live of the script.

Re: [PHP-DEV] Safe Mode

It may not be the fastest solution, but certainly a secure one. It is up to each admin to decide whether they want speed or security, I am sure the security minded ISPs probably would prefer a small performance loss over security & integrity of their customer's data. Ilia On May 12, 2002 05:4

Re: [PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

Maybe creating an php.ini option like "disable_ini" where the admin can list the ini options that can be or cannot be set by users. Of course certain options like "child_terminate" should be disabled by default. Btw the "child_terminate" which allows the user to kill the current apache child is

Re: [PHP-DEV] Safe Mode

Instead of just giving up on the problem, perhaps we should go into full attack mode. I see a couple of choices (and there are probably others): 1. Review and push open_basedir as the PHP-based jail mechanism 2. Pitch in and get Apache 2's perchild mpm up to snuff. There are all sorts of ot

Re: [PHP-DEV] Safe Mode

Ok, but dropping to CGI is kind of crappy. Especially on a really busy server. On 12 May 2002, Stig S. Bakken wrote: > Well, as long as there is exec(2), there is a way. How many users do > Lycos Europe provide sandboxed PHP for? > > - Stig > > On Sun, 2002-05-12 at 23:37, Rasmus Lerdorf wrot

Re: [PHP-DEV] Safe Mode

Well, as long as there is exec(2), there is a way. How many users do Lycos Europe provide sandboxed PHP for? - Stig On Sun, 2002-05-12 at 23:37, Rasmus Lerdorf wrote: > But for really large shared hosts, I don't think that is feasible. How > are you going set up 100,000 prisons on a server? >

Re: [PHP-DEV] Safe Mode

But for really large shared hosts, I don't think that is feasible. How are you going set up 100,000 prisons on a server? > I'm +1 on removing safe mode in PHP 5, and encourage the use of > system-level sandboxes/prisons instead. > > - Stig > > On Sat, 2002-05-11 at 17:39, Ilia A. wrote: > > In

Re: [PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

Right, but it would seem like we need a bit of a general purpose check on ini_set() from userspace. There are probably other directives that we may not want to allow or at least want to check from safe_mode. But yes, that's the code I was looking at. I think we should apply the safe-mode restri

Re: [PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

We can check it at the ini handler level. We can either forbid modifying error_log from userspace (denying PHP_INI_USER), deny it only in safe mode, or even apply the safe mode restriction at that level. At 00:25 13/05/2002, Rasmus Lerdorf wrote: >Not quite sure how to fix this one. It's not

Re: [PHP-DEV] Safe Mode

I'm +1 on removing safe mode in PHP 5, and encourage the use of system-level sandboxes/prisons instead. - Stig On Sat, 2002-05-11 at 17:39, Ilia A. wrote: > In the process of writing an installer in PHP for one of my projects I've come > in contact with a number of servers running PHP with saf

[PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

Not quite sure how to fix this one. It's not like we can simply check before we open the error_log file in general, because that might be set by the server admin, it is only if the user tries to redefine where this error logfile should be that we want to apply the safe-mode restriction. Even if w

Re: [PHP-DEV] [PATCH] IMAP module efficiency improvements

On Fri, May 10, 2002 at 02:49:12PM -0400, Rob Siemborski wrote: > Last summer I sent in some patches to speed up the IMAP module's dealing > with large mailboxes. At the time I noted that there were similar > problems with other parts of the module, but I didn't have time to fix > them then. >

RE: [PHP-DEV] Getting posted variable

Vous etes dans la mauvaise liste, inscrivez-vous sur http://fr2.php.net/mailing-lists.php -> General user list a+ pa > -Original Message- > From: Stephane Tirard [mailto:[EMAIL PROTECTED]] > Sent: lundi 13 mai 2002 00:22 > To: [EMAIL PROTECTED] > Subject: [PHP-DEV] Getting posted vari

[PHP-DEV] Getting posted variable

Hello, I would like to know how I can reach the posted variables , the one included in the HTTP_POST_VARS array, outside the php page. In fact I would like to do something like : MyPhpPbject ->getPostedVar(); The getPostedVars would be located in an included file. instead of MyVar->var1 = HTTP_

Re: [PHP-DEV] Segfault in current HEAD

At 21:33 12/05/2002, Sebastian Bergmann wrote: >Zeev Suraski wrote: > > This trace isn't meaningful... > > I know. How would I produce a more useful one? It's probably not possible - the best thing to do is to try to cut down the script to the smallest one that still demonstrates the crash. Z

Re: [PHP-DEV] Segfault in current HEAD

Zeev Suraski wrote: > This trace isn't meaningful... I know. How would I produce a more useful one? -- Sebastian Bergmann http://sebastian-bergmann.de/ http://phpOpenTracker.de/ Did I help you? Consider a gift: http://wishlist.sebastian-bergmann.de/ -- PHP Development

Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4 /ext/mbstring config.m4

Jan Lehnardt wrote: > you want to have --with-mysql=/path/to and --disable-mysql as the two > options ? Never mind, I forgot about --with-mysql=/path/to. -- Sebastian Bergmann http://sebastian-bergmann.de/ http://phpOpenTracker.de/ Did I help you? Consider a gift: http:

Re: [PHP-DEV] Segfault in current HEAD

This trace isn't meaningful... At 20:36 12/05/2002, Sebastian Bergmann wrote: > Can't tell how to reproduce this, it occurs when working with Harald's > form validation system, which is built on top of PEAR::XML_Transformer: > >NTDLL! 778cb892() >NTDLL! 778cb733() >shutdown_memory_manager(int

Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4 /ext/mbstring config.m4

Hi, On Sun, 12 May 2002 19:33:13 +0200 Sebastian Bergmann <[EMAIL PROTECTED]> wrote: > Shouldn't '--without-mysql' be renamed to '--disable-mysql' then? you want to have --with-mysql=/path/to and --disable-mysql as the two options ? -1 Jan -- Q: Thank Jan? A: http://geschenke.an.dasmoped.net/

[PHP-DEV] Segfault in current HEAD

Can't tell how to reproduce this, it occurs when working with Harald's form validation system, which is built on top of PEAR::XML_Transformer: NTDLL! 778cb892() NTDLL! 778cb733() shutdown_memory_manager(int 0, int 0, void * * * 0x00b328d8) line 468 + 60 bytes php_request_shutdown(void * 0x000

[PHP-DEV] Re: [PHP-CVS] cvs: php4 /ext/mbstring config.m4

Sascha Schumann wrote: > WITH is solely for the purpose of pointing to paths and other external > entities. > > Note that the comment has always mentioned "--disable-mbstring" which > clearly refers to enable and not with. Shouldn't '--without-mysql' be renamed to '--disable-mysql' then? --

Fwd: Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

I messed up on the test, I left output buffering enabled for tests 2 and 3. So you can see that using output buffering on top of the global output buffering (whether specialized or not) slows you down by about 30%. However, to be fair, the numbers w/o global output buffering enabled: Speciali

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

At 19:00 12/05/2002, Sascha Schumann wrote: > > Again, I fail to understand the logic behind it. I'll change the space > > handling code to your method (which is indeed nicer); Why on earth would > > we need to have a stupid HTML printout function as a function pointer? > > If you would also

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

> Ok, so I'll use your method. By the way, there was nothing inherent in the > two places you used 'inherent', on this topic :) php_html_puts is simple, consistent and easy to follow. These are its essential characteristics, and thus they are inherent. But I digress. > Again, I fai

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

At 18:34 12/05/2002, Sascha Schumann wrote: > I favor php_html_puts also due to maintability reasons. > Please consider this part of code from zend_html_puts: > > && !(((ptr+1)>=end) || (*(ptr+1)==' ')) /* next is not a space */ > && !((ptr==s) || (*(ptr-1)==' ')))

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

I favor php_html_puts also due to maintability reasons. Please consider this part of code from zend_html_puts: && !(((ptr+1)>=end) || (*(ptr+1)==' ')) /* next is not a space */ && !((ptr==s) || (*(ptr-1)==' '))) /* last is not a space */ { And contrast it with

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

I'd *really* like to avoid having two copies of the same code, though. Please remove the duplicated implementation... Zeev At 18:24 12/05/2002, Sascha Schumann wrote: > > What I'm pointing out is that there are no 'inherent flaws' in the 'dog > > slow' implementation that we already had for a

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

At 18:24 12/05/2002, Sascha Schumann wrote: > - it is buffering as you already noted without having to rely > on the huge output-buffering infrastructure. I have not > benchmarked it, but I do assume that it is noticably slower > than php_html_puts. > > - it is faster du

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

> What I'm pointing out is that there are no 'inherent flaws' in the 'dog > slow' implementation that we already had for a couple of years. If you > want to add buffering, we can add buffering. There's no point in adding a > specialized buffered implementation. Well, php_html_puts has sever

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

At 17:58 12/05/2002, Sascha Schumann wrote: > > What inherent flaws? So far, the only difference between them that I could > > spot was that php_html_puts() was buggy, and did not convert series of > > spaces into  's. Otherwise, the only difference was the use of > > buffering. I may have miss

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

> What inherent flaws? So far, the only difference between them that I could > spot was that php_html_puts() was buggy, and did not convert series of > spaces into  's. Otherwise, the only difference was the use of > buffering. I may have missed something, though. That is not buggy, althou

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

At 17:43 12/05/2002, Sascha Schumann wrote: > I've just noticed that you have kicked out the premier > implementation of the same functionality in favor of the dog > slow old one. I almost missed those idyllic descriptions :) > Note that relying on output buffering alone is infer

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

On Sun, 12 May 2002, Zeev Suraski wrote: > Hmm, then it could be fixed, but we shouldn't introduce a new implementation. > Assuming you refer to the large number of output calls, they can be saved > using output buffering - implementing localized buffering in every place is I've just noticed

[PHP-DEV] mime help!

ok i have that a script that is supposed to decode base64, the thing that it's decoding is a email, html encoded. For some od reason it just puts the message into funny characters. Does anyone know where I could get a tutorial maybe on this subject if nobody wanted to help me. All help is apprecia

Re: [PHP-DEV] Safe Mode

On May 11, 2002 06:56 pm, Chand wrote: > The solution we've chosen is to have a cgi php binary instead of a > module for security stuff. The main reason to do so was to have the > user-created file have the user's uid. We had to suid the php binary and > setuid() the process to the script's uid,

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

Hmm, then it could be fixed, but we shouldn't introduce a new implementation. Assuming you refer to the large number of output calls, they can be saved using output buffering - implementing localized buffering in every place is not a good way to go by. I'm not sure output buffering was already

[PHP-DEV] CVS Account Request: kai

I need access to "phpdoc" CVS repository for help with translating PHP manual into Russian. -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: Any idea why we have two html_puts()'s?

The zend-equivalent is painfully slow. - Sascha Experience IRCG http://schumann.cx/http://schumann.cx/ircg -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php