Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
+1 Not certain about a better solution but there are other methods of encrypting and decrypting session data. In a recent project I have been tasked with implementing a pdo stored procedure using mysql's aes functionality works well with or without the patch. In a lot of ways I think that is the benefit of any programming language. The tools exist, implement them right? Jas On Feb 4, 2012, at 10:21 AM, John Crenshaw wrote: > OK, All the mud slinging is getting really silly (on *both* sides). There's > no need to denigrate others because you don't agree with them. There's no > point in arguing about who isn't a team player or who works for which evil > multinational corporation. Nobody is attacking anybody else by suggesting > that Suhosin is or is not critical, and none of that really matters anyway. > > I may have missed something, but has anyone asked *why* the patch was > disabled? I think I could make a good guess, but I haven't seen even the > slightest hint of the actual reasons in this email chain (though I could > easily have missed it entirely). > > IMO we should try to focus on: > 1. What are the pros vs. cons of enabling the Suhosin patch by default? > 2. Why did the Debian team opt to disable it? > 3. Are there better solutions that should be considered and recommended? > > John Crenshaw > Priacta, Inc. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Re: Push Request #21
There really doesn't seem to be much interest in this proposed patch. Should I continue development efforts on closing this feature request? I do also have a few questions regarding standards adherence, and memory leak methods of detection. I ask about the memory leak detection as passing test scripts through valgrind only led me to find leaks in the openssl_pkey_new() function. Thanks for any help you can provide Jas On Apr 3, 2012, at 4:47 AM, Jason Gerfen wrote: > Please bear with me as I am going to address a few things that (being new) I > seem to have over looked upon my initial pull request @ > https://github.com/php/php-src/pull/21. > > I have forked and submitted a push request to add native spkac functionality > per a feature request @ https://bugs.php.net/bug.php?id=38917. > > It introduces five new functions: > openssl_spki_new() > openssl_spki_export() > openssl_spki_export_challenge() > openssl_spki_verify() > openssl_spki_details() > > First I am not sure I should include the openssl_spki_details() function as > it may be overkill and the remainder of the PHP OpenSSL extension does not > have anything providing the modulus and other details. I am leaning towards > the omitting of this in next pull request. > > Second. The warning message UC first or all LC has been brought up. The > remainder of the warnings messages do not use LC at all and I simply followed > this example. > > Third. The adherence to C89 vs. C99 functions, I could not find references to > this in any of the internals docs. I very well could have missed it. > > Fourth. A couple of you made mention of re-factoring to omit goto statements. > Does this mean the remainder of the ext/openssl/openssl.c file should be > re-factored as I originally used this as an example of creating new functions > which does include a few functions making use of goto statements. > > Thanks for any feedback you can provide > > -- > Jas
Re: [PHP-DEV] Re: Push Request #21
On Apr 11, 2012, at 8:49 PM, Stas Malyshev wrote: > Hi! > >> You might want to do something like >> >> USE_ZEND_ALLOC=0 ZEND_DONT_UNLOAD_MODULES=1 >> TEST_PHP_EXECUTABLE=./sapi/cli/php php ./run-tests.php -m ext/openssl/ I am glad I asked as I was not aware of this. Is there a comprehensive guide to this? I have scoured the php.net site and google but found very little. > Also I would advise adding tests that test failure conditions - right > now the test seem to only test "OK" conditions but not failures - like > passing random strings or other bad data. > No problem I can update this pretty quickly > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: Push Request #21
On Apr 11, 2012, at 8:39 PM, Yasuo Ohgaki wrote: > Hi > > 2012/4/12 Stas Malyshev : >> Hi! >> >>> There really doesn't seem to be much interest in this proposed patch. >>> Should I continue development efforts on closing this feature request? >> >> Can't say anything here - I don't use these APIs personally, but maybe >> other people need them. No idea :) On that note Mr. Malyshev has indicated (in addition to several other threads on the internals list) that no new features will be added in 5.3 or 5.4 branches. Any idea on when new features might make it in to the core? >>> I do also have a few questions regarding standards adherence, and memory >>> leak methods of detection. >>> >>> I ask about the memory leak detection as passing test scripts through >>> valgrind only led me to find leaks in the openssl_pkey_new() function. >> >> There's two levels of leak detection - internal memory management & >> valgrind. How to work with them: >> >> 1. Internal. Compile php with --enable-debug and run your tests. Leaks >> will be reported by php. >> 2. External. Set USE_ZEND_ALLOC environment variable to 0. Set >> ZEND_DONT_UNLOAD_MODULES to 1. Run it under valgrind, see what it reports. > > You might want to do something like > Is this in the documentation? If so could you provide a link? > USE_ZEND_ALLOC=0 ZEND_DONT_UNLOAD_MODULES=1 > TEST_PHP_EXECUTABLE=./sapi/cli/php php ./run-tests.php -m ext/openssl/ > > It seems your API is good. > Isn't it just there aren't people who would like to > responsible? > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: Push Request #21
On Apr 11, 2012, at 9:20 PM, Stas Malyshev wrote: > Hi! > >> On that note Mr. Malyshev has indicated (in addition to several other >> threads on the internals list) that no new features will be added in >> 5.3 or 5.4 branches. > > 5.3 is out of the question, I think, but for 5.4 small self-contained > additions - like adding a couple of functions here and there - may be fine Good to know, I appreciate your time > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Status of pull request
Thanks, for whatever reason it caught the pbkdf2 stuff, not intensional. I will update it asap Jas On Feb 17, 2013, at 3:12 AM, Stas Malyshev wrote: > Hi! > >> The pull request addresses bug fix/feature request #38917 implementing >> native signed public key & challenge support to the OpenSSL extension. >> Details can be found @ https://github.com/php/php-src/pull/267 > > I've looked into it and two things are missing: > 1. Failure scenario tests. See my comments on the patch, in many > functions initializations are missing and error scenarios segfault. > Please fix it. > > 2. For some reason the diff includes pbkdf2 which is not part of the > patch. No idea why. Could you clean it up? > > If this is done, we could get it into 5.5 probably. > > Thanks, > > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
