-- Kevin McArthur <[EMAIL PROTECTED]> wrote (on Tuesday, 10 June 2008, 12:31 PM -0700): > No one's blaming anyone for the code, it's what the response is, and > will be. Bugs will happen... but will backports? If you search the lists > you'll find numerous attempts to get a security policy discussion > started, and it never goes anywhere. > > So lets get somewhere already. > > How is the project going to respond to a validator that is letting > tainted information into applications. Maybe Matthew, as architect, can > respond on what Zend is doing to address this and other security > disclosures with the framework? > > Kevin > > P.S. Far from complaining without action, I've tried to get this subject > addressed, proactively, numerous times. I've been critical of the SVN > externals distribution, critical of attempts to get a Zend Framework > 'package' released for Linux distributions, and I've always brought up > security issues with the development team as I've found them. We need > some leadership and responsibility from Zend on the security policy.
Kevin, I've been on fw-general since day one, and I do not recall any serious or repeated attempts to discuss the subject. Admittedly, until the past six months, ZF was not my full-time job, and it may have slipped under the radar, but I'm sure I would recollect something this serious. As to our policy: get the issue fixed ASAP, and issue a point release. Patches are available via the repo browser, and we will likely post links and/or instructions on how to grab a patch or patched file. Response time will be based on the severity of the vulnerability, but the above is the policy. Regardless of severity, an issue is always entered in the tracker, to ensure that it is reported in our changelogs. I welcome you to email me directly with your concerns, or to start a new thread with them. I'm particularly curious what your concerns are regarding distro-specific packages. Regarding usage of svn:externals, this is an optional way to grab ZF, and I'm also curious what issues you see with it. > Thomas Weidner wrote: >> I'm not the one to blame as I am not the author of Zend_Validate. >> >> But I think it's always better to write a issue regardless of what the >> type is set "new" or "improvement" or "bug" or "problem" or >> "whatever", than discussing here how the author meant his >> implementation. >> >> Maybe he made a problem in the api doc, maybe in his implementation. >> Only the author knows this. >> >> Related to your PS, this shows only that the author has not wrote the >> right unit tests. Because this is true for this particular component >> does not mean that it's true for the complete framework. >> But it's always easier to complain about the failures of others. I >> understand this. :-) >> >> Greetings >> Thomas Weidner, I18N Team Leader, Zend Framework >> http://www.thomasweidner.com >> >> ----- Original Message ----- From: "Kevin McArthur" <[EMAIL PROTECTED]> >> Cc: <[email protected]> >> Sent: Tuesday, June 10, 2008 8:39 PM >> Subject: Re: [fw-general] Zend_Validate_Ip >> >> >>> If invalid ip strings are confirmed as passing validation then this >>> should not be logged as a 'new feature' request, but something >>> handled by whomever is considered the security team these days -- >>> probably with a quick point/patch release and a security advisory. >>> >>> The downstream implications of _any_ failing validator are very >>> serious. I've not looked at this specific validator, but if its >>> allowing extra string data into a valid context, it could lead to >>> exploitable circumstances [sql injection, buffer overrun, etc] >>> >>> Kevin >>> >>> P.S. This issue, again, underscores how the project does not have >>> sufficient policy in place for security issues and patch >>> distribution. >>> >>> Thomas Weidner wrote: >>>> Feel free to add a feature request to jira for thi new feature. >>>> http://framework.zend.com/issues/browse/ZF >>>> >>>> Greetings >>>> Thomas Weidner, I18N Team Leader, Zend Framework >>>> http://www.thomasweidner.com >>>> >>>> ----- Original Message ----- From: "Joachim Knust" >>>> <[EMAIL PROTECTED]> >>>> To: <[email protected]> >>>> Sent: Tuesday, June 10, 2008 5:44 PM >>>> Subject: [fw-general] Zend_Validate_Ip >>>> >>>> >>>>> Hello! >>>>> >>>>> I'd like to use Zend_Validate_Ip to check if some input strings >>>>> are - surprise - valid IP addresses. When I got some problems >>>>> with strings like "192.168.34" or "192.168.34.234 asdf" >>>>> which evaluated to true, I had a look into apidocs and found: >>>>> >>>>> "Returns true if and only if $value is a valid IP address" >>>>> >>>>> Both example strings are not valid IP address, in my oppinion. >>>>> Internally ip2long is used to do the checking, which accepts a >>>>> lot more than just "valid IP addresses". >>>>> >>>>> Is this intended behaviour or is it a bug and may change in the >>>>> future? >>>>> >>>>> Regards >>>>> -joachim knust >>>>> >>>>> >>>>> >>>> >>> >>> -- >>> >>> Kevin McArthur >>> >>> StormTide Digital Studios Inc. >>> Author of the recently published book, "Pro PHP" >>> http://www.stormtide.ca >>> >>> >> > > -- > > Kevin McArthur > > StormTide Digital Studios Inc. > Author of the recently published book, "Pro PHP" > http://www.stormtide.ca > -- Matthew Weier O'Phinney Software Architect | [EMAIL PROTECTED] Zend Framework | http://framework.zend.com/
