This patch was supposed to make it RFC compliant.
Can you please point me the part in the RFC 2965
which now isn't implemented correctly?
As now it handles these strings it gets the same:
name="whatever,this,might,be";name2="value2"
name="whatever,this,might,be",name2="value2"
How can this affect modsecurity at all????
--Jani
On Sun, 24 Apr 2005, Stefan Esser wrote:
Jani Taskinen wrote:
sniper Sat Apr 23 16:33:35 2005 EDT
Modified files: /php-src/main php_variables.c Log:
- Fixed bug #32111 (Cookies can also be separated by colon)
Could you please revert that patch, or implement the RFC correctly?
Now PHP handles cookies in a completely RFC uncovered way.
Either we have support for , ; " or only for ; but not something in between.
F.e. with your patch you just fucked modsecurity again which will fail to
correctly detect evil cookie variables. No matter if you configure it to use
V0 or V1 of its detection.
Stefan
--
Donate @ http://pecl.php.net/wishlist.php/sniper
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
