On Sat, 2 Mar 2002, James Cox wrote: > oh... > > we probably need to fix that..
That is quite impossible, and I don;t see a reason why it should be changed actually. Derick > > James > > > -----Original Message----- > > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > > Sent: Saturday, March 02, 2002 8:10 AM > > To: James Cox > > Cc: Rui Hirokawa; [EMAIL PROTECTED] > > Subject: RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries > > > > > > There is no 4_1_2 branch. There is a PHP_4_1_2 tag. The 4.1.x branch is > > called 4_0_7 currently. Yeah, I know it sucks. > > > > -Rasmus > > > > On Sat, 2 Mar 2002, James Cox wrote: > > > > > Rui, > > > > > > No, it's against the 4_1_2 branch. > > > > > > > -----Original Message----- > > > > From: Rui Hirokawa [mailto:[EMAIL PROTECTED]] > > > > Sent: Friday, March 01, 2002 11:32 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries > > > > > > > > > > > > > > > > Is this patch for Windows already applied > > > > to CVS's PHP 4_0_7 branch ? > > > > > > > > Rui > > > > > > > > > Shane and I worked last night to build Windows versions of > > > > 4.1.2, and also > > > > > fix a further vulnerability which exists when you call the cgi > > > > directly, for > > > > > example in cgi with apache, it was possible to call > > > > > http://example.com/php/php.exe?c:\winnt\repair\sam to get the > > > > equivalent of > > > > > the /etc/passwd file. > > > > > > > > > > We have patched it so it is no longer possible to call it > > > > directly, so this > > > > > vulenerability is at least worked around. > > > > > > > > > > Due to the fact that some webservers fix this by default > > > > anyway, we have 2 > > > > > new ini options. (see them in the php.ini in the source). > > > > > > > > > > The particular one you'll need to set is cgi.force-redirect > > > > (0|1) so that > > > > > for servers that are not exploitable (eg, IIS) you override > > the setting. > > > > > > > > > > I hope that made sense, check out the attached binaries... let > > > > us know if > > > > > there are any problems. if not, i'll put them up on the website with > > > > > detauiled (Thought out) install instructions for all those > > > > windows users, > > > > > and add comments to the docs. > > > > > > > > > > Thanks, > > > > > > > > > > James > > > > > > > > > > > > -- > > > > ----------------------------------------------------- > > > > Rui Hirokawa <[EMAIL PROTECTED]> > > > > <[EMAIL PROTECTED]> > > > > > > > > -- > > > > PHP Development Mailing List <http://www.php.net/> > > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > > > > > > -- > > > PHP Development Mailing List <http://www.php.net/> > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > -- > > PHP Development Mailing List <http://www.php.net/> > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
