On Sat, 2 Mar 2002, James Cox wrote: > Rui, > > No, it's against the 4_1_2 branch.
There is no 4_1_2 branch, Rui was right, it has been applied to the PHP_4_0_7 branch. Derick > > > -----Original Message----- > > From: Rui Hirokawa [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 01, 2002 11:32 PM > > To: [EMAIL PROTECTED] > > Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries > > > > > > > > Is this patch for Windows already applied > > to CVS's PHP 4_0_7 branch ? > > > > Rui > > > > > Shane and I worked last night to build Windows versions of > > 4.1.2, and also > > > fix a further vulnerability which exists when you call the cgi > > directly, for > > > example in cgi with apache, it was possible to call > > > http://example.com/php/php.exe?c:\winnt\repair\sam to get the > > equivalent of > > > the /etc/passwd file. > > > > > > We have patched it so it is no longer possible to call it > > directly, so this > > > vulenerability is at least worked around. > > > > > > Due to the fact that some webservers fix this by default > > anyway, we have 2 > > > new ini options. (see them in the php.ini in the source). > > > > > > The particular one you'll need to set is cgi.force-redirect > > (0|1) so that > > > for servers that are not exploitable (eg, IIS) you override the setting. > > > > > > I hope that made sense, check out the attached binaries... let > > us know if > > > there are any problems. if not, i'll put them up on the website with > > > detauiled (Thought out) install instructions for all those > > windows users, > > > and add comments to the docs. > > > > > > Thanks, > > > > > > James > > > > > > -- > > ----------------------------------------------------- > > Rui Hirokawa <[EMAIL PROTECTED]> > > <[EMAIL PROTECTED]> > > > > -- > > PHP Development Mailing List <http://www.php.net/> > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
