Rui, No, it's against the 4_1_2 branch.
> -----Original Message----- > From: Rui Hirokawa [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 01, 2002 11:32 PM > To: [EMAIL PROTECTED] > Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries > > > > Is this patch for Windows already applied > to CVS's PHP 4_0_7 branch ? > > Rui > > > Shane and I worked last night to build Windows versions of > 4.1.2, and also > > fix a further vulnerability which exists when you call the cgi > directly, for > > example in cgi with apache, it was possible to call > > http://example.com/php/php.exe?c:\winnt\repair\sam to get the > equivalent of > > the /etc/passwd file. > > > > We have patched it so it is no longer possible to call it > directly, so this > > vulenerability is at least worked around. > > > > Due to the fact that some webservers fix this by default > anyway, we have 2 > > new ini options. (see them in the php.ini in the source). > > > > The particular one you'll need to set is cgi.force-redirect > (0|1) so that > > for servers that are not exploitable (eg, IIS) you override the setting. > > > > I hope that made sense, check out the attached binaries... let > us know if > > there are any problems. if not, i'll put them up on the website with > > detauiled (Thought out) install instructions for all those > windows users, > > and add comments to the docs. > > > > Thanks, > > > > James > > > -- > ----------------------------------------------------- > Rui Hirokawa <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
