On Tue, Nov 23, 2004 at 12:55:16PM -0600, William Rowe wrote: > What I questioned was why we were doing the security validation > of PHP when it's outside the scope of httpd, or isn't due to some > interaction with httpd.
This is true for most of the functional tests of PHP in t/php/ which Covalent donated. I don't necessarily disagree, but I do I find it useful. Possibly these tests could go in the PHP test suite as well, I'm not sure. If that's your itch... > I also questioned shoving scary security/CAN-2004-xxxx.t failures > at our users. FIRST this should never have been in security/ - > it should have been a php/ test. Again, this is not our security > incident within httpd. I don't really care either way, smells like a freshly painted bikeshed to me ;) > Second, whenever we fail any CAN-2004-xxxx.t we must direct the > user to some patch where they can remedy the situation. I'm sort > of laughing that I spent 4 hours yesterday researching two vulns > that many other engineers had spent 4 hours researching. The > laughable thing - show me on www.php.net where they call out any > patches for 4.3.x to these two incidents? They don't, it was fixed silently, I mailed them about that but they didn't seem inclined to do anything about it. If you want to follow up on that some more, great, but ranting about it here won't make much difference. joe
