RE: [PHP-DEV] PHP audit

2002-03-14 Thread sesser
Hi, due to the fact that I now have a cvs account at the phpaudit project i am able to help on both sides. Of course we would like to have a secure head and 4_2_0 branch but it is understandable that fixing 4.1.2 is the primary goal of the project. First things comes first. Anyway during the next

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Andi Gutmans
At 16:16 14/03/2002 +0059, Jedi/Sector One wrote: >On Thu, Mar 14, 2002 at 05:10:38PM +0200, Andi Gutmans wrote: > > Me too. I don't see much reason not to commit directly to PHP, at least > the > > obvious patches. If there are any conceptual changes we should discuss > them > > first. > > Be

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One
On Thu, Mar 14, 2002 at 05:10:38PM +0200, Andi Gutmans wrote: > Me too. I don't see much reason not to commit directly to PHP, at least the > obvious patches. If there are any conceptual changes we should discuss them > first. Because we are working on version 4.1.2 right now. We will switch

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Andi Gutmans
At 15:06 14/03/2002 +0100, [EMAIL PROTECTED] wrote: >On Thu, 14 Mar 2002, Jedi/Sector One wrote: > > > On Thu, Mar 14, 2002 at 02:53:27PM +0100, Markus Fischer wrote: > > > I thought he was refering to CVS access to the current state > > > of their patch. The websites doesn't list any such

Re: [PHP-DEV] PHP audit

2002-03-14 Thread derick
On Thu, 14 Mar 2002, Jedi/Sector One wrote: > On Thu, Mar 14, 2002 at 02:53:27PM +0100, Markus Fischer wrote: > > I thought he was refering to CVS access to the current state > > of their patch. The websites doesn't list any such resource. > > The CVS was just installeda few minutes ag

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One
On Thu, Mar 14, 2002 at 02:53:27PM +0100, Markus Fischer wrote: > I thought he was refering to CVS access to the current state > of their patch. The websites doesn't list any such resource. The CVS was just installeda few minutes ago. There's no anonymous access yet. -- __ /*-

Re: [PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)

2002-03-14 Thread Wez Furlong
On 14/03/02, "Zeev Suraski" <[EMAIL PROTECTED]> wrote: > We know :) And yet, we always use sizeof(), regardless of whether we feed > it with a type or a value. I meant to say that :) > At 15:34 14/03/2002, Jedi/Sector One wrote: > > The correct sizeof semantics are > > sizeof > > or: >

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Markus Fischer
> > From: Markus Fischer [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 14, 2002 1:43 PM > > To: Jedi/Sector One > > Cc: [EMAIL PROTECTED] > > Subject: Re: [PHP-DEV] PHP audit > > > > > > On Thu, Mar 14, 2002 at 02:30:43PM +0059, Jedi/Sector One wro

RE: [PHP-DEV] PHP audit

2002-03-14 Thread James Cox
fair enough. :) > -Original Message- > From: Zeev Suraski [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 14, 2002 1:45 PM > To: James Cox > Cc: Jedi/Sector One; [EMAIL PROTECTED] > Subject: RE: [PHP-DEV] PHP audit > > > We decided not to use branches for d

RE: [PHP-DEV] PHP audit

2002-03-14 Thread Zeev Suraski
We decided not to use branches for development at all, only for releases... I think we should stick to it. Zeev At 15:41 14/03/2002, James Cox wrote: > > > > On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: > > > What's stopping you committing it to cvs.php.net ? > > > > It might b

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Zeev Suraski
At 15:37 14/03/2002, Jedi/Sector One wrote: >On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: > > What's stopping you committing it to cvs.php.net ? > > It might be better to work on a separate tree, and later let PHP > developpers >merge what parts they want to. I think that most pa

RE: [PHP-DEV] PHP audit

2002-03-14 Thread James Cox
http://phpaudit.42-networks.com/ > -Original Message- > From: Markus Fischer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 14, 2002 1:43 PM > To: Jedi/Sector One > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP-DEV] PHP audit > > > On Thu, Mar 14, 2002 at 02

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Markus Fischer
On Thu, Mar 14, 2002 at 02:30:43PM +0059, Jedi/Sector One wrote : > >The only comment I have (after this short glance) is that I'd rather see > >sizeof(foo) instead of 'sizeof foo' > > No problem Zeev. All sizeof x (including those we didn't introduce) have > just been replaced by sizeof(x) .

RE: [PHP-DEV] PHP audit

2002-03-14 Thread James Cox
> > On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: > > What's stopping you committing it to cvs.php.net ? > > It might be better to work on a separate tree, and later let > PHP developpers > merge what parts they want to. > > Or maybe we can work on cvs.php.net on a separate branch

Re: [PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)

2002-03-14 Thread Zeev Suraski
We know :) And yet, we always use sizeof(), regardless of whether we feed it with a type or a value. Zeev At 15:34 14/03/2002, Jedi/Sector One wrote: >On Thu, Mar 14, 2002 at 01:19:32PM +, Wez Furlong wrote: > > I know of a compiler for the Amiga that doesn't grok 'sizeof struct foo'; > >

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Stanislav Malyshev
JO>> It might be better to work on a separate tree, and later let PHP JO>> developpers merge what parts they want to. Why? Your patches then would bit-rot constantly and you would have to update it even that nothing changes, and risk introducing new bugs in transition. -- Stanislav Malyshev

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One
On Thu, Mar 14, 2002 at 01:34:06PM -, James Cox wrote: > What's stopping you committing it to cvs.php.net ? It might be better to work on a separate tree, and later let PHP developpers merge what parts they want to. Or maybe we can work on cvs.php.net on a separate branch. -- __ /*

RE: [PHP-DEV] PHP audit

2002-03-14 Thread James Cox
> > We are now working on a CVS tree. If you want access to review or change > things, just ask. > What's stopping you committing it to cvs.php.net ? James Cox -- James Cox :: [EMAIL PROTECTED] :: Landonize It! http://landonize.it/ Was I helpful? http://www.amazon.co.uk/exec/obidos/wishlist

Re: [PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)

2002-03-14 Thread Jedi/Sector One
On Thu, Mar 14, 2002 at 01:19:32PM +, Wez Furlong wrote: > I know of a compiler for the Amiga that doesn't grok 'sizeof struct foo'; > the solution is to always use 'sizeof(struct foo)'. sizeof is incorrect. The correct sizeof semantics are sizeof or: sizeof( ) So

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Jedi/Sector One
>The only comment I have (after this short glance) is that I'd rather see >sizeof(foo) instead of 'sizeof foo' No problem Zeev. All sizeof x (including those we didn't introduce) have just been replaced by sizeof(x) . We are now working on a CVS tree. If you want access to review or change

[PHP-DEV] sizeof foo vs sizeof (foo) (Was Re: [PHP-DEV] PHP audit)

2002-03-14 Thread Wez Furlong
On 14/03/02, "Zeev Suraski" <[EMAIL PROTECTED]> wrote: > The only comment I have (after this short glance) is that I'd rather see > sizeof(foo) instead of 'sizeof foo' (we don't need yet another style in our > code base :), I know of a compiler for the Amiga that doesn't grok 'sizeof struct foo

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Yasuo Ohgaki
Zeev Suraski wrote: > I think their work is a good step that PHP needed for a while. I also > think it's an ongoing project, and not a one-time pass. > > Looking at the patch, the vast majority of changes made don't actually > fix bugs, but rather, implement the same code using 'defensive' >

Re: [PHP-DEV] PHP audit

2002-03-14 Thread Zeev Suraski
I think their work is a good step that PHP needed for a while. I also think it's an ongoing project, and not a one-time pass. Looking at the patch, the vast majority of changes made don't actually fix bugs, but rather, implement the same code using 'defensive' techniques. E.g., use strlcpy()

[PHP-DEV] PHP audit

2002-03-14 Thread Andrew Sitnikov
Hello php-dev, What you think about this: http://phpaudit.42-networks.com/ Big size of patch does not bring pleasure Best regards, Andrew Sitnikov e-mail : [EMAIL PROTECTED] GSM: (+372) 56491109 -- PHP Development Mailing List To uns

Re: [PHP-DEV] PHP audit project

2002-03-12 Thread Marcus Börger
In addition to Zeev, Hey guys where is your problem if someone wants to infect php code with functions that increases stability of code? The last days i spent much work to get ext/exif working and many problems came from missuse of strxxx functions. Changing to functions like strlcpy makes the co

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Andi Gutmans
And as long as you don't use strncpy() Just kidding :) Andi At 15:31 11/03/2002 +0200, Zeev Suraski wrote: >Frank, > >Don't be discouraged by the feedback here. Your efforts are well >appreciated! You can choose to use whichever functions you deem best, as >long as you're the one doing the

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Andi Gutmans
At 13:21 11/03/2002 +0100, Stefan Esser wrote: >Hi, > >strlcpy and strlcat are inventions of the OpenBSD project. Since they >invented >those they are trying to "infect" other projects. I added them to PHP a long time ago and I have nothing to do with the OpenBSD project. They are extremely usef

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Zeev Suraski
Frank, Don't be discouraged by the feedback here. Your efforts are well appreciated! You can choose to use whichever functions you deem best, as long as you're the one doing the work :) Zeev At 02:23 PM 3/11/2002, Jedi/Sector One wrote: >On Mon, Mar 11, 2002 at 01:21:02PM +0100, Stefan Esse

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One
On Mon, Mar 11, 2002 at 01:43:40PM +0100, Stefan Esser wrote: > Sorry, my fault. I have overseen that. I just wanted to clearify what > strlcat and strlcpy are. strlcpy and strlcat are quick and dirty band aids against buffer overflows. They suck because if a string is truncated, other bad thin

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Stefan Esser
Hi, > PHP is already infected. Sorry, my fault. I have overseen that. I just wanted to clearify what strlcat and strlcpy are. I dislike OpenBSD because of several reasons but this list is not the right place to discuss anything like this. > But that's ok. If you don't want us to work on PHP,

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One
On Mon, Mar 11, 2002 at 01:21:02PM +0100, Stefan Esser wrote: > strlcpy and strlcat are inventions of the OpenBSD project. Since they > invented > those they are trying to "infect" other projects. PHP is already infected. Try to grep for strlcpy and strlcat in the _vanilla_ PHP source code

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Stefan Esser
Hi, strlcpy and strlcat are inventions of the OpenBSD project. Since they invented those they are trying to "infect" other projects. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One
On Mon, Mar 11, 2002 at 01:17:07PM +0100, [EMAIL PROTECTED] wrote: > > Are the strlcpy and strlcat functions (used in the patches) available on > > Linux? > [derick@kossu derick]$ man strlcpy > No manual entry for strlcpy > [derick@kossu derick]$ man strlcat > No manual entry for strlcat PHP de

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread derick
On Mon, 11 Mar 2002, David Eriksson wrote: > On Mon, 11 Mar 2002, Jedi/Sector One wrote: > > > The goal is to help the PHP developpement, not to keep the patches > > separate, only for OpenBSD. There are some OpenBSD enhancements, but they > > are all surrounded with #ifdef __OpenBSD__ . We do

Re: [PHP-DEV] PHP audit project

2002-03-11 Thread David Eriksson
On Mon, 11 Mar 2002, Jedi/Sector One wrote: > The goal is to help the PHP developpement, not to keep the patches > separate, only for OpenBSD. There are some OpenBSD enhancements, but they > are all surrounded with #ifdef __OpenBSD__ . We don't want to break > portability, nor to release someth

[PHP-DEV] PHP audit project

2002-03-11 Thread Jedi/Sector One
Hello. This is Frank from the PHP audit project. Here are some clarifications. We are working on PHP 4.1.2 because we want to quickly release a patch with basic hardening. Because of the recent vulnerabilities discovered by Stefan, chances are that a lot of kiddies are also