Re: [PHP-DEV] ini system patch

Thu, 02 Aug 2007 09:28:03 -0700 

Marcus,
I've already said a several times that post 5.2.4 work on 5.3 will begin. This patch however IS a security fix, so the option is to ignore the bug or fix it, I am for fixing it rather the delaying the fix until 5.3 is released. 


On 2-Aug-07, at 9:27 AM, Marcus Boerger wrote:


Hello Ilia,

  i'd suggest so. From my perspective 5.2 is pretty stable, tested and

secure now. But more and more people want more and more stuff into  
5.*.

So i think we should change into a strict RM approval equired security
fixes only mode for 5.2 and start on 5.3. Also i think we should give
that at least three month for adding new stuff. Major things i'd like
to see would be namespaces and adding pecl packages icu (or whatever
the name is) plus phar. Well we have the todo on lukas' site.

marcus

Thursday, August 2, 2007, 2:15:13 PM, you wrote:


Marcus,



Well, do you propose we leave the issue be until 5.3?




On 2-Aug-07, at 7:41 AM, Marcus Boerger wrote:



Hello Ilia,

  as much as i agree with ading the stage it is a BC issue!

Thursday, August 2, 2007, 3:26:00 AM, you wrote:


Stas,



It looks like the best solution in this case. I don't like the idea

of introducing another INI stage in minor release, but I can't  
think

of a better way to address this issue at this time and I cannot
imagine it breaking much stuff.



On 1-Aug-07, at 8:47 PM, Stanislav Malyshev wrote:



Hi!

The attached patch implements the following improvement in Apache
module configuration handling:

New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values
set in .htaccess are passed to handlers with
ZEND_INI_STAGE_HTACCESS instead of ZEND_INI_STAGE_ACTIVATE.

The reason for this is that there are values - one of them being
session.save_handler - that we want to allow administrator to set
to arbitrary values, even not inside open_basedir/safe_mode

restrictions, while we do want user-set values to be inside  
limits.

The problem was that right now there's no way to see if the value
is set from httpd.conf (admin) or from .htaccess (frequently user-
accessible and user-writable). This patch enables to make such
distinction.

I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE  
but if

there would be they can easily be fixed to work with

ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2  
SAPI

only, but same one would be needed for apache1 API.

This patch will allow proper fix for CVE-2007-3378 (current one
breaks BC).

Comments/objections?

--  
Stanislav Malyshev, Zend Software Architect

[EMAIL PROTECTED]   http://www.zend.com/
(408)253-8829   MSN: [EMAIL PROTECTED]
Index: Zend/zend_ini.h

================================================================== 
=

RCS file: /repository/ZendEngine2/zend_ini.h,v
retrieving revision 1.34.2.1.2.3
diff -u -r1.34.2.1.2.3 zend_ini.h
--- Zend/zend_ini.h   1 Jan 2007 09:35:46 -0000       1.34.2.1.2.3
+++ Zend/zend_ini.h   2 Aug 2007 00:40:52 -0000
@@ -189,6 +189,7 @@
 #define ZEND_INI_STAGE_ACTIVATE              (1<<2)
 #define ZEND_INI_STAGE_DEACTIVATE    (1<<3)
 #define ZEND_INI_STAGE_RUNTIME               (1<<4)
+#define ZEND_INI_STAGE_HTACCESS              (1<<5)

 /* INI parsing engine */
 typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int
callback_type, void *arg);
Index: sapi/apache2handler/apache_config.c

================================================================== 
=
RCS file: /repository/php-src/sapi/apache2handler/ 
apache_config.c,v

retrieving revision 1.7.2.1.2.2
diff -u -r1.7.2.1.2.2 apache_config.c
--- sapi/apache2handler/apache_config.c       1 Jan 2007 09:36:12
-0000
1.7.2.1.2.2
+++ sapi/apache2handler/apache_config.c       2 Aug 2007 00:40:52
-0000
@@ -51,6 +51,7 @@
      char *value;
      size_t value_len;
      char status;
+    char htaccess;
 } php_dir_entry;

 static const char *real_value_hnd(cmd_parms *cmd, void *dummy,
const char *name, const char *value, int status)
@@ -67,7 +68,8 @@
      e.value = apr_pstrdup(cmd->pool, value);
      e.value_len = strlen(value);
      e.status = status;
-

+     e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF))  
== 0);

+
      zend_hash_update(&d->config, (char *) name, strlen(name) +
1, &e,
sizeof(e), NULL);
      return NULL;
 }
@@ -170,7 +172,7 @@
                      zend_hash_move_forward(&d->config)) {
              zend_hash_get_current_data(&d->config, (void **)
&data);
              phpapdebug((stderr, "APPLYING (%s)(%s)\n", str,
data->value));
-             if (zend_alter_ini_entry(str, str_len, data->value,
data-

value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) {

+             if (zend_alter_ini_entry(str, str_len, data->value,
data-

value_len, data->status, data->htaccess?

ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) {
                      phpapdebug((stderr, "..FAILED\n"));
              }
      }

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php



Ilia Alshanetsky





Best regards,
 Marcus




Ilia Alshanetsky





Best regards,
 Marcus



Ilia Alshanetsky

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php























					Reply via email to