[PHP-DEV] uhm.. *swallows*.. security thingy?
There's a problem with PHP cgi binaries: CaPS_ (was a CVS, so..) CaPS_ which reminds me CaPS_ remember my ranting about php.ini derick? CaPS_ (it opens ./php.ini, config_file_path/php.ini, checks PHPRC environment) CaPS_ in that order CaPS_ I got some 'friends' who work at hosters CaPS_ and they don't like that CaPS_ cos, ./php.ini will enable users to override safe mode CaPS_ made a lill patch for him so it wouldn't CaPS_ but, isn't it an idea to add --restrictive-hosting or something that'll ''activate'' that patch ? CaPS_ (limit php.ini to be in config-file-path) OpenSrc yes OpenSrc no switch OpenSrc just reverse it :) CaPS_ que CaPS_ ? OpenSrc change the order OpenSrc let the MAIN php.ini override values in PHPRC/php.ini CaPS_ it doesn't sequentially parse them CaPS_ but one OpenSrc oh OpenSrc then that need to be fixed :) CaPS_ either ./php.ini, php.ini or PHPRC OpenSrc write it to php-dev It allows users to set their own options in a ./php.ini, as in override user_dir, open_basedir and safe_mode. My default php.ini has error_reporting set to E_ALL: test.php: ?php echo $test; ? php.ini-ex: error_reporting = E_ALL ~E_NOTICE caps@anaina:~/php-4.1.0$ ./php -q test.php PHP Warning: undefined variable: test in /home/caps/php-4.1.0/test.php on line 3 caps@anaina:~/php-4.1.0$ mv php.ini-ex php.ini caps@anaina:~/php-4.1.0$ ./php -q test.php caps@anaina:~/php-4.1.0$ This was reported and discussed (on IRC) first on Nov 15 (http://bugs.php.net/bug.php?id=14071), granted.. filed incorrectly. I'd say this is quite serious when you're a hoster who only allows PHP in CGI mode. Wouter de Jong is the one who actually discovered this. -- Mathieu 'CaPS_' Kooiman [EMAIL PROTECTED] MAP Internet Services -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] uhm.. *swallows*.. security thingy?
On Tue, 2001-12-11 at 14:04, Zeev Suraski wrote: At 12:36 11/12/2001, Mathieu Kooiman wrote: On Tue, 2001-12-11 at 11:29, Zeev Suraski wrote: Would the cwd of the PHP CGI be inside the user's dir? Did you test it in a real CGI environment? Zeev Err, PHP CGI would be in /usr/local/bin/php.. Yeah, but that's not what I asked - I asked about the cwd (current working directory :) There are situaties where you have like: /opt/guide/somesite.com/cgi-bin /opt/guide/somesite.com/htdocs /opt/guide/somesite.com/logs cgi-bin and htdocs (2 possible cwds) are under user control. (if *that*'s what you meant) 'Wouter' tells me he has tested it in a real CGI environment. This is exploitable iff the cwd of PHP when running as a CGI is a directory under the user's control. Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] zend_parse_parameters()
Hiya, For my module I've been playing with zend_parse_parameters(). I ran into something weird though: -- zval *rsrc_pdb; char *data; int s_len = 0, index = 0, mode = PDB_ADD_APPEND; if ( zend_parse_parameters ( ZEND_NUM_ARGS() TSRMLS_CC, rsdd, rsrc_pdb, data, s_len, index, mode) == FAILURE) { return; } -- This works. As in, it doesn't return FAILURE. However, after inspecting this with gdb, s_len seems to still be 0 after calling zend_parse_parameters().. Am I doing something wrong or is zend_parse_parameters() ?? Mathieu -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] zend_parse_parameters()
On Tue, 2001-12-04 at 15:02, Markus Fischer wrote: You're trying to fit a double into an int .. doesn't seem right to me. int is 4 bytes, double 8 bytes (at least on i386 here). - Markus README.PARAMETERS_PARSING_API tells me 's' gets you the string and it's length.. Quote: Examples /* Gets a long, a string and its length, and a zval */ long l; char *s; int s_len; zval *param; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, lsz, l, s, s_len, param) == FAILURE) { return; } So IMO, my code should work.. On Tue, Dec 04, 2001 at 02:47:05PM +0100, Mathieu Kooiman wrote : For my module I've been playing with zend_parse_parameters(). I ran into something weird though: -- zval *rsrc_pdb; char *data; int s_len = 0, index = 0, mode = PDB_ADD_APPEND; if ( zend_parse_parameters ( ZEND_NUM_ARGS() TSRMLS_CC, rsdd, rsrc_pdb, data, s_len, index, mode) == FAILURE) { return; } -- This works. As in, it doesn't return FAILURE. However, after inspecting this with gdb, s_len seems to still be 0 after calling zend_parse_parameters().. Am I doing something wrong or is zend_parse_parameters() ?? Mathieu -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Please always Cc to me when replying to me on the lists. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] zend_parse_parameters()
You're right, sorry :-) Thanks Markus.. (and Derick too :D ) -- Mathieu On Tue, 2001-12-04 at 15:07, Markus Fischer wrote: Yo ! But you specified two doubles dd after the string and try to fit them into ints! - Markus On Tue, Dec 04, 2001 at 03:00:13PM +0100, Mathieu Kooiman wrote : On Tue, 2001-12-04 at 15:02, Markus Fischer wrote: You're trying to fit a double into an int .. doesn't seem right to me. int is 4 bytes, double 8 bytes (at least on i386 here). - Markus README.PARAMETERS_PARSING_API tells me 's' gets you the string and it's length.. Quote: Examples /* Gets a long, a string and its length, and a zval */ long l; char *s; int s_len; zval *param; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, lsz, l, s, s_len, param) == FAILURE) { return; } So IMO, my code should work.. On Tue, Dec 04, 2001 at 02:47:05PM +0100, Mathieu Kooiman wrote : For my module I've been playing with zend_parse_parameters(). I ran into something weird though: -- zval *rsrc_pdb; char *data; int s_len = 0, index = 0, mode = PDB_ADD_APPEND; if ( zend_parse_parameters ( ZEND_NUM_ARGS() TSRMLS_CC, rsdd, rsrc_pdb, data, s_len, index, mode) == FAILURE) { return; } -- This works. As in, it doesn't return FAILURE. However, after inspecting this with gdb, s_len seems to still be 0 after calling zend_parse_parameters().. Am I doing something wrong or is zend_parse_parameters() ?? Mathieu -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Please always Cc to me when replying to me on the lists. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Please always Cc to me when replying to me on the lists. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] PHP Module for reading/writing Palmtop .PDB files..
Hiya, I'm almost done writing a PHP module for my library, pdb-lib, which enables you to read and write .PDB files on the PC. This library is not YET available. I have some question pending somewhere and after that I'll release it (GPL). Is there any interest in adding this to the PHP dist ? -- Mathieu -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] PHP Module for reading/writing Palmtop .PDB files..
On Mon, 2001-12-03 at 10:03, Sterling Hughes wrote: Hiya, I'm almost done writing a PHP module for my library, pdb-lib, which enables you to read and write .PDB files on the PC. This library is not YET available. I have some question pending somewhere and after that I'll release it (GPL). Is there any interest in adding this to the PHP dist ? Well, I think its more appropriate for PECL (its cool - I just don't see a reason to add it to the main distribution). What's this PECL ? PHP's Enormously Cool Library ? But aside from that we can't add code that links to GPL software in the PHP distribution simply cause the PHP license and GPL conflict (LGPL is fine btw). Reality check, so if the Library is onder GPL, it can't be added? Or if the MODULE is under GPL.. cos.. heck, I'll make LGPL.. -Sterling -- Mathieu -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] python dictionary-like % (percent) substitution inphp (was: Good idea in % (percent) substitutions in string)
On Tue, 28 Aug 2001, it was written: I have seen that in php there isn't nothing similar to dictionary substitution in python. (a dictionary is an array with string keys, like hash in perl) This change consist in adding two functions (a stay for array): aprintf(string format, array dict) -- like printf, print the result saprintf(string format, array dict) -- like sprintf, return the result qy It works like this (written in php-like language): format - my name is %(name)s and i'm %(age)s dict - array( name=tom, age= eighteen ); (in php, unlike python, is possible to make an array with both string and number indices, so the format can be also %(2)s,...) aprintf(format,dict) -- print my name is tom and i'm eighteen saprintf(format,dict) -- return my name is tom and i'm eighteen in python, these substitutions are very useful, especially in cgi programming, for making templates from text files, in php could be useful in, for example, language customisation, or message formatting, etc... An example: if ($lang == it) define(MESSAGE,il %(animal)s %(color)s sta %(action)s %(target)s); else define(MESSAGE,the %(color)s %(animal)s is %(action)s); aprintf(MESSAGE,array(animal=cobra,color=green,action=eating,target =mouse)); // if the %(target)s isn't found, is ignored. (the s terminator could be substituted with other letters, like d for numbers, etc...) This approach has several advantages over something like this: the $color $animal is $action because in this phrase, variables are substituted when the parser execute it, and in this case: the %(color)s %(animal)s is %(action)s parameters are substituted only when the phrase is parsed with a specialized function like aprintf I think that this is a good idea and could save a lot of time when the program need to be as modular as possible. Federico Marani [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] python dictionary-like % (percent) substitution inphp (was: Good idea in % (percent) substitutions in string)
Crap! Hit send for some reason.. When I just decided to *not* send anything :P Sorry. Met vriendelijke groet, Mathieu Kooiman [EMAIL PROTECTED], [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Ncurses Patch
I added some functions to the ncurses function to make it a bit more usable.. Mathieu Kooiman ncurses_diff.gz -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]