Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
On 03/28/2012 03:06 AM, Anatoliy Belsky wrote: Commit:11f04c3524cc86a5c4cdf748a107801116604184 Author:Anatoliy Belskya...@php.net Wed, 28 Mar 2012 12:06:09 +0200 Parents: e7fa402c7ccbff8a6ff8af776192416747db0d77 Branches: PHP-5.3 PHP-5.4 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=11f04c3524cc86a5c4cdf748a107801116604184 Log: Bug 61504 updated libmagic.patch Bugs: https://bugs.php.net/61504 Changed paths: M ext/fileinfo/libmagic.patch Anatoliy, Pierre, Can you review https://bugs.php.net/bug.php?id=61940 which claims the fix for 61504 broke it. Thanks, Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
Hi Chris, please see my comment in the #61940. Regards Anatoliy Am Fr, 4.05.2012, 19:16 schrieb Christopher Jones: On 03/28/2012 03:06 AM, Anatoliy Belsky wrote: Commit:11f04c3524cc86a5c4cdf748a107801116604184 Author:Anatoliy Belskya...@php.net Wed, 28 Mar 2012 12:06:09 +0200 Parents: e7fa402c7ccbff8a6ff8af776192416747db0d77 Branches: PHP-5.3 PHP-5.4 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=11f04c3524cc86a5c4cdf748a107801116604184 Log: Bug 61504 updated libmagic.patch Bugs: https://bugs.php.net/61504 Changed paths: M ext/fileinfo/libmagic.patch Anatoliy, Pierre, Can you review https://bugs.php.net/bug.php?id=61940 which claims the fix for 61504 broke it. Thanks, Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
On 05/04/2012 11:16 AM, Anatoliy Belsky wrote: Hi Chris, please see my comment in the #61940. Regards Anatoliy Hi Anatoliy, Is this documented on php.net? I agree with Sean that the error messages are useless. Is there anyway PHP can improve on them? Thanks for looking at it, Chris Am Fr, 4.05.2012, 19:16 schrieb Christopher Jones: On 03/28/2012 03:06 AM, Anatoliy Belsky wrote: Commit:11f04c3524cc86a5c4cdf748a107801116604184 Author:Anatoliy Belskya...@php.net Wed, 28 Mar 2012 12:06:09 +0200 Parents: e7fa402c7ccbff8a6ff8af776192416747db0d77 Branches: PHP-5.3 PHP-5.4 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=11f04c3524cc86a5c4cdf748a107801116604184 Log: Bug 61504 updated libmagic.patch Bugs: https://bugs.php.net/61504 Changed paths: M ext/fileinfo/libmagic.patch Anatoliy, Pierre, Can you review https://bugs.php.net/bug.php?id=61940 which claims the fix for 61504 broke it. Thanks, Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
On Fri, May 4, 2012 at 9:38 PM, Christopher Jones christopher.jo...@oracle.com wrote: On 05/04/2012 11:16 AM, Anatoliy Belsky wrote: Hi Chris, please see my comment in the #61940. Regards Anatoliy Hi Anatoliy, Is this documented on php.net? I agree with Sean that the error messages are useless. Is there anyway PHP can improve on them? Thanks for looking at it, Chris Am Fr, 4.05.2012, 19:16 schrieb Christopher Jones: On 03/28/2012 03:06 AM, Anatoliy Belsky wrote: Commit: 11f04c3524cc86a5c4cdf748a107801116604184 Author: Anatoliy Belskya...@php.net Wed, 28 Mar 2012 12:06:09 +0200 Parents: e7fa402c7ccbff8a6ff8af776192416747db0d77 Branches: PHP-5.3 PHP-5.4 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=11f04c3524cc86a5c4cdf748a107801116604184 Log: Bug 61504 updated libmagic.patch Bugs: https://bugs.php.net/61504 Changed paths: M ext/fileinfo/libmagic.patch Anatoliy, Pierre, Can you review https://bugs.php.net/bug.php?id=61940 which claims the fix for 61504 broke it. Thanks, Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I couldn't agree more with Sean here. A major library update should definitely not be done in a point release, especially when it isn't BC. And triggering so many different errors that isn't ignored by ignore_repeated_errors.. Not cool. Just because we bundle a library doesn't mean we can ignore everyting else -Hannes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
On 05/04/2012 02:22 PM, Anatoliy Belsky wrote: Hi Chris, that's not documented on the php.net yet. I think shortening that notice is a good idea. Probably it should just stop on the first fail and warn about the incompatibility. Cheers Anatoliy Hi Anatoliy, What are the options for reverting this fix (while keeping security)? Do you have an action item to document it the change? (https://edit.php.net/ is a convenient way to update doc) Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
What are the options for reverting this fix (while keeping security)?
Thanks for the help on this, Anatoliy and Chris.
In my opinion, it is too late to revert the new behaviour.
I currently have this in my codebase:
if (version_compare(PHP_VERSION, '5.3.11') = 0) {
$magicfile = 'magic_php-gte-5_3_11.mgc';
} else {
$magicfile = 'magic_php-lt-5-3-11.mgc';
}
$magicpath = __DIR__ . /../../../config/{$magicfile};
$finfo = new finfo(FILEINFO_MIME_TYPE, $magicpath);
Adding additional ifelse clauses for (e.g.) 5.3.13 and 5.4.2, etc. sounds like
a nightmare.
The only way I could see this working is if the magic db parser somehow tries
*both* the old and new methods, and frankly, I don't think it's worth it at
this point.
This really should never have gone into .11 in the first place. The damage is
done; let's not make it worse.
S
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
On 05/04/2012 03:10 PM, Sean Coates wrote: What are the options for reverting this fix (while keeping security)? Thanks for the help on this, Anatoliy and Chris. In my opinion, it is too late to revert the new behaviour. This really should never have gone into .11 in the first place. The damage is done; let's not make it worse. Anatoliy, Do you recall why bug 61504 isn't in NEWS? Can you make sure some kind of entry in NEWS mentions the change? Thanks, Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
Sean, thanks for reporting that :) Chris, theoretically there were a possibility to apply the patch for 5.04 which was made first (it's attached in #61504) ... but I wouldn't call that quite rational. As Sean mentioned, it's already done. For the current patch 5.11 tests was fixed, some fixes was done over it, and it's released. Besides this, patching for 7 versions forwards wasn't that easy, so the longer it's waiting, the worst it gets. Therefore I'd really suggest here to document this and to make the warnings more meaningful. Hannes, I agree here even more than you :) . But, that was a security conditioned upgrade. The patch for 5.04 has existed shortly before the patch 5.11, but finally the 5.11 one was considered as better. The notices come directly from libmagic, so no wonder some of them are not handled properly (and they were not before). The development was concentrated more on the usage with the compiled in data (as use of the externals is rare), so I think at the end of he day a security fix is worth it. Thanks for the help guys and regards Anatoliy On Fri, 04 May 2012 15:02:21 -0700 Christopher Jones christopher.jo...@oracle.com wrote: On 05/04/2012 02:22 PM, Anatoliy Belsky wrote: Hi Chris, that's not documented on the php.net yet. I think shortening that notice is a good idea. Probably it should just stop on the first fail and warn about the incompatibility. Cheers Anatoliy Hi Anatoliy, What are the options for reverting this fix (while keeping security)? Do you have an action item to document it the change? (https://edit.php.net/ is a convenient way to update doc) Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- Anatoliy Belsky a...@php.net -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
Chris, it's already in the news http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=d26ffea8ab357a44e37044193c8b316dfaa61662;hb=704bbb3263d0ec9a6b4a767bbc516e55388f4b0e Regards Anatoliy On Fri, 04 May 2012 15:19:31 -0700 Christopher Jones christopher.jo...@oracle.com wrote: On 05/04/2012 03:10 PM, Sean Coates wrote: What are the options for reverting this fix (while keeping security)? Thanks for the help on this, Anatoliy and Chris. In my opinion, it is too late to revert the new behaviour. This really should never have gone into .11 in the first place. The damage is done; let's not make it worse. Anatoliy, Do you recall why bug 61504 isn't in NEWS? Can you make sure some kind of entry in NEWS mentions the change? Thanks, Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- Anatoliy Belsky a...@php.net -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
Hi Anatoliy, I can't see the NEWS entry in the PHP-5.4 or PHP-5.3 heads: http://git.php.net/?p=php-src.git;a=blob_plain;f=NEWS;hb=refs/heads/PHP-5.4 http://git.php.net/?p=php-src.git;a=blob_plain;f=NEWS;hb=refs/heads/PHP-5.3 I can see it in NEWS from the 5.3.12.tar.bz2 bundle. This all reinforces that the PHP NEWS updating process is one of my pet peeves. In any case, the backward compatibility break isn't mentioned - this is the critical thing that should be mentioned to help end users. Chris On 05/04/2012 03:57 PM, Anatoliy Belsky wrote: Chris, it's already in the news http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=d26ffea8ab357a44e37044193c8b316dfaa61662;hb=704bbb3263d0ec9a6b4a767bbc516e55388f4b0e Regards Anatoliy On Fri, 04 May 2012 15:19:31 -0700 Christopher Joneschristopher.jo...@oracle.com wrote: On 05/04/2012 03:10 PM, Sean Coates wrote: What are the options for reverting this fix (while keeping security)? Thanks for the help on this, Anatoliy and Chris. In my opinion, it is too late to revert the new behaviour. This really should never have gone into .11 in the first place. The damage is done; let's not make it worse. Anatoliy, Do you recall why bug 61504 isn't in NEWS? Can you make sure some kind of entry in NEWS mentions the change? Thanks, Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Bug 61504 updated libmagic.patch: ext/fileinfo/libmagic.patch
On 05/04/2012 03:53 PM, Anatoliy Belsky wrote: Sean, thanks for reporting that :) Chris, theoretically there were a possibility to apply the patch for 5.04 which was made first (it's attached in #61504) ... but I wouldn't call that quite rational. As Sean mentioned, it's already done. For the current patch 5.11 tests was fixed, some fixes was done over it, and it's released. Besides this, patching for 7 versions forwards wasn't that easy, so the longer it's waiting, the worst it gets. Therefore I'd really suggest here to document this and to make the warnings more meaningful. Hannes, I agree here even more than you :) . But, that was a security conditioned upgrade. The patch for 5.04 has existed shortly before the patch 5.11, but finally the 5.11 one was considered as better. The notices come directly from libmagic, so no wonder some of them are not handled properly (and they were not before). The development was concentrated more on the usage with the compiled in data (as use of the externals is rare), so I think at the end of he day a security fix is worth it. Thanks for the help guys and regards Anatoliy We appreciate your help too. There are some lessons I've learned from this: - BC breaks are bad and should be discussed (maybe this one was, but that would have been on the security list that I'm not on) - clear documentation on any BC breakage is needed - The PHP NEWS updating process is broken. Chris -- christopher.jo...@oracle.com http://twitter.com/#!/ghrd -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
