Hello Ilia, i'd suggest so. From my perspective 5.2 is pretty stable, tested and secure now. But more and more people want more and more stuff into 5.*. So i think we should change into a strict RM approval equired security fixes only mode for 5.2 and start on 5.3. Also i think we should give that at least three month for adding new stuff. Major things i'd like to see would be namespaces and adding pecl packages icu (or whatever the name is) plus phar. Well we have the todo on lukas' site.
marcus Thursday, August 2, 2007, 2:15:13 PM, you wrote: > Marcus, > Well, do you propose we leave the issue be until 5.3? > On 2-Aug-07, at 7:41 AM, Marcus Boerger wrote: >> Hello Ilia, >> >> as much as i agree with ading the stage it is a BC issue! >> >> Thursday, August 2, 2007, 3:26:00 AM, you wrote: >> >>> Stas, >> >>> It looks like the best solution in this case. I don't like the idea >>> of introducing another INI stage in minor release, but I can't think >>> of a better way to address this issue at this time and I cannot >>> imagine it breaking much stuff. >> >>> On 1-Aug-07, at 8:47 PM, Stanislav Malyshev wrote: >> >>>> Hi! >>>> >>>> The attached patch implements the following improvement in Apache >>>> module configuration handling: >>>> >>>> New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values >>>> set in .htaccess are passed to handlers with >>>> ZEND_INI_STAGE_HTACCESS instead of ZEND_INI_STAGE_ACTIVATE. >>>> >>>> The reason for this is that there are values - one of them being >>>> session.save_handler - that we want to allow administrator to set >>>> to arbitrary values, even not inside open_basedir/safe_mode >>>> restrictions, while we do want user-set values to be inside limits. >>>> The problem was that right now there's no way to see if the value >>>> is set from httpd.conf (admin) or from .htaccess (frequently user- >>>> accessible and user-writable). This patch enables to make such >>>> distinction. >>>> I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE but if >>>> there would be they can easily be fixed to work with >>>> ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2 SAPI >>>> only, but same one would be needed for apache1 API. >>>> >>>> This patch will allow proper fix for CVE-2007-3378 (current one >>>> breaks BC). >>>> >>>> Comments/objections? >>>> -- >>>> Stanislav Malyshev, Zend Software Architect >>>> [EMAIL PROTECTED] http://www.zend.com/ >>>> (408)253-8829 MSN: [EMAIL PROTECTED] >>>> Index: Zend/zend_ini.h >>>> =================================================================== >>>> RCS file: /repository/ZendEngine2/zend_ini.h,v >>>> retrieving revision 1.34.2.1.2.3 >>>> diff -u -r1.34.2.1.2.3 zend_ini.h >>>> --- Zend/zend_ini.h 1 Jan 2007 09:35:46 -0000 1.34.2.1.2.3 >>>> +++ Zend/zend_ini.h 2 Aug 2007 00:40:52 -0000 >>>> @@ -189,6 +189,7 @@ >>>> #define ZEND_INI_STAGE_ACTIVATE (1<<2) >>>> #define ZEND_INI_STAGE_DEACTIVATE (1<<3) >>>> #define ZEND_INI_STAGE_RUNTIME (1<<4) >>>> +#define ZEND_INI_STAGE_HTACCESS (1<<5) >>>> >>>> /* INI parsing engine */ >>>> typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int >>>> callback_type, void *arg); >>>> Index: sapi/apache2handler/apache_config.c >>>> =================================================================== >>>> RCS file: /repository/php-src/sapi/apache2handler/apache_config.c,v >>>> retrieving revision 1.7.2.1.2.2 >>>> diff -u -r1.7.2.1.2.2 apache_config.c >>>> --- sapi/apache2handler/apache_config.c 1 Jan 2007 09:36:12 >>>> -0000 >>>> 1.7.2.1.2.2 >>>> +++ sapi/apache2handler/apache_config.c 2 Aug 2007 00:40:52 >>>> -0000 >>>> @@ -51,6 +51,7 @@ >>>> char *value; >>>> size_t value_len; >>>> char status; >>>> + char htaccess; >>>> } php_dir_entry; >>>> >>>> static const char *real_value_hnd(cmd_parms *cmd, void *dummy, >>>> const char *name, const char *value, int status) >>>> @@ -67,7 +68,8 @@ >>>> e.value = apr_pstrdup(cmd->pool, value); >>>> e.value_len = strlen(value); >>>> e.status = status; >>>> - >>>> + e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF)) == 0); >>>> + >>>> zend_hash_update(&d->config, (char *) name, strlen(name) + >>>> 1, &e, >>>> sizeof(e), NULL); >>>> return NULL; >>>> } >>>> @@ -170,7 +172,7 @@ >>>> zend_hash_move_forward(&d->config)) { >>>> zend_hash_get_current_data(&d->config, (void **) >>>> &data); >>>> phpapdebug((stderr, "APPLYING (%s)(%s)\n", str, >>>> data->value)); >>>> - if (zend_alter_ini_entry(str, str_len, data->value, >>>> data- >>>>> value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) { >>>> + if (zend_alter_ini_entry(str, str_len, data->value, >>>> data- >>>>> value_len, data->status, data->htaccess? >>>> ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) { >>>> phpapdebug((stderr, "..FAILED\n")); >>>> } >>>> } >>>> >>>> -- >>>> PHP Internals - PHP Runtime Development Mailing List >>>> To unsubscribe, visit: http://www.php.net/unsub.php >> >>> Ilia Alshanetsky >> >> >> >> >> Best regards, >> Marcus >> > Ilia Alshanetsky Best regards, Marcus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
