[PHP-WEBMASTER] Sec Bug->Bug #81523 [Opn]: The search bar in your site no contains atributte "maxlenght"
Edit report at https://bugs.php.net/bug.php?id=81523=1
ID: 81523
Updated by: s...@php.net
Reported by:neibase123 at gmail dot com
Summary:The search bar in your site no contains atributte
"maxlenght"
Status: Open
-Type: Security
+Type: Bug
Package:Website problem
Operating System: irrelevante
PHP Version:Irrelevant
Block user comment: N
Private report: N
Previous Comments:
[2023-05-24 06:32:09] tradingstatsf at gmail dot com
My Best Home Designs are sharing latest news about home design, home
decoration, ,realestate etc. More info to
visit:(https://mybesthomedesigns.com)github.com
[2021-10-14 10:06:04] c...@php.net
The missing maxlength attribute is certainly not a security issue,
since a client can ignore that. Not restricting the length
server-side, however, might be an issue in this case.
[2021-10-13 17:06:11] neibase123 at gmail dot com
Description:
Your site's search bar doesn't contain the "maxlength" html attribute, I enter
an absurd amount of characters, if your server doesn't filter these characters,
they can cause a Denial Of Service attack
Test script:
---
#this script works on any page on the site that contains the search bar.
# please in console navigator paste lines one for one
# tested in https://www.php.net/
document.getElementsByName("pattern")[0].value = "A".repeat(1000)
document.getElementsByName("pattern")[0].value;
Expected result:
Demonstrate how it can set a huge value in the search bar, if the attacker
enters and your server doesn't filter these characters, they can cause a DOS
attack
--
Edit this bug report at https://bugs.php.net/bug.php?id=81523=1
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-WEBMASTER] Bug #78911 [Opn->Wfx]: Please do not show e-mails from bug reporters in plain text in this site!
Edit report at https://bugs.php.net/bug.php?id=78911=1 ID: 78911 Updated by: s...@php.net Reported by:oma2000 at hotmail dot com Summary:Please do not show e-mails from bug reporters in plain text in this site! -Status: Open +Status: Wont fix Type: Bug Package:Website problem Operating System: N/A PHP Version:Irrelevant Block user comment: N Private report: N New Comment: If you have a problem with that, create a dedicated email address for PHP bug reporting (those can be had for free from about 9000 free email providers). Most of those also have pretty effective anti-spam filters. Previous Comments: [2019-12-04 12:27:31] oma2000 at hotmail dot com Also, if I try to change my mail to prevent it from being on a public website, this e-mail is still being shown in the "History" section of the bug report, so I really can't remove it! Please, do not show e-mail addresses in the "History" section. [2019-12-04 12:25:30] oma2000 at hotmail dot com Description: I just filed a bug and I just noticed my e-mail is publicly shown in plain text, just replacing "." with "dot" and "@" with "at". Do you really think such a crude way of "obfuscating" an e-mail address is going to stop spammer bots from harvesting it? The e-mail should not be visible at all to begin with! But if you absolutely need to display the e-mail address, please use a more advanced way of mail address obfuscation. Expected result: E-mails should never be shown in a public website directly reachable from search engines. Actual result: -- Do not show e-mails in a public website. -- Edit this bug report at https://bugs.php.net/bug.php?id=78911=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-WEBMASTER] Sec Bug->Bug #78911 [Opn]: Please do not show e-mails from bug reporters in plain text in this site!
Edit report at https://bugs.php.net/bug.php?id=78911=1 ID: 78911 Updated by: s...@php.net Reported by:oma2000 at hotmail dot com Summary:Please do not show e-mails from bug reporters in plain text in this site! Status: Open -Type: Security +Type: Bug Package:Website problem Operating System: N/A PHP Version:Irrelevant Block user comment: N Private report: Y Previous Comments: [2019-12-04 12:27:31] oma2000 at hotmail dot com Also, if I try to change my mail to prevent it from being on a public website, this e-mail is still being shown in the "History" section of the bug report, so I really can't remove it! Please, do not show e-mail addresses in the "History" section. [2019-12-04 12:25:30] oma2000 at hotmail dot com Description: I just filed a bug and I just noticed my e-mail is publicly shown in plain text, just replacing "." with "dot" and "@" with "at". Do you really think such a crude way of "obfuscating" an e-mail address is going to stop spammer bots from harvesting it? The e-mail should not be visible at all to begin with! But if you absolutely need to display the e-mail address, please use a more advanced way of mail address obfuscation. Expected result: E-mails should never be shown in a public website directly reachable from search engines. Actual result: -- Do not show e-mails in a public website. -- Edit this bug report at https://bugs.php.net/bug.php?id=78911=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-WEBMASTER] Sec Bug->Bug #71161 [Opn]: server status enabled
Edit report at https://bugs.php.net/bug.php?id=71161=1 ID: 71161 Updated by: s...@php.net Reported by:eusebiu dot blindu at testalways dot com Summary:server status enabled Status: Open -Type: Security +Type: Bug -Package:Doc Build problem +Package:Website problem PHP Version:Irrelevant Block user comment: N Private report: Y Previous Comments: [2015-12-18 19:40:02] eusebiu dot blindu at testalways dot com Description: server status enabled in: http://pair1.php.net:80/server-status http://php-git1.php.net:80/server-status https://php-git1.php.net:443/server-status http://sgrv4.php.net:80/server-status https://sgrv4.php.net:443/server-status http://sp2.php.net:80/server-status -- Edit this bug report at https://bugs.php.net/bug.php?id=71161=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-WEBMASTER] Re: [PHP-DEV] Re: [PHP-WEBMASTER] Re: [PHP-DEV] about the latest frontpage entry
Hi Joe! I think however anyone sees the announcement you have authored, it is a new thing that was never done before on php.net, and we all agree on that. And it came as surprise to many participants of the project. I think in the PHP project we see php.net as something representing all of us, and it was a big surprise to find there something very new that most of us never heard about. You are completely correct that never doing something before does not mean we should not be doing it. However, doing it by surprise is not always the best way. Not everybody likes surprises, especially surprises of a kind that may be taken as representing the community without actually asking most of the people in the community. I understand that it was done with best intentions, but how things are done is no less important. And I think in this case how it was done is unfortunate, and it caught many people by surprise, and that caused a negative reaction. I personally think the idea to have a developer blog is excellent, I still remember fondly the weekly summaries of the early days, and I think if somebody would take on himself (or herself) a great task of making sense of what happens on the list and present it in exportable form, I can only applaud such person. And if it were done as a separate blog, I think nobody would have anything but the best wishes. I personally appreciate the idea and what would be the best way to start the dev blog if not the article about phpng? However, php.net frontpage is kind of special place for the project, and starting the previously unknown project right there without any announcement - that was not the best idea. try again, the idea that we must gather a consensus on facts before communicating them is dysfunctional, and it was completely pointless to remove indexed content from the front page other than to flex your I'm going to get my own way muscles; it was already being read, all you really done there is piss me off, and make everyone look foolish, but especially me. I don't think it was anybody's intent to make anybody look foolish, and I do not think that actually happened. People, even with the best intentions, sometimes make mistakes. That doesn't make them fools, unless we say literally everybody is a fool. These mistakes have to be fixed and we have to think how we can do better next time, but it's not the reason to hurl accusations around and give up on cooperating. PHP is pretty egalitarian project in its makeup - a lot of people have commit rights to various parts and can add or remove content. That is the reason why, I think, before doing things that have chance of being controversial it is a very good idea to ask people about it, and if you think that makes the project dysfunctional then I guess we must disagree on that, because I think this is exactly the thing that makes the project functional - maintaining the good will and concern about others and not everybody just doing their own thing with zero regard to anybody else. Those people I respect understand what I was doing and why, and are still supportive of the idea to have a developer blog it's just a shame that we seem to have a community that is incompatible, completely incompatible. I'm not sure what you mean by the last phrase, but I think, as I already told, that having such a blog would be a great idea. It just has to be done differently, not by putting it on php.net by surprise. I can not speak for everybody, but I think and hope that if you'd like to try again and do it in a different fashion, you'd get a much wider support and appreciation. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-WEBMASTER] Re: [PHP-DEV] RFC votes no longer visible
Hi! I’d rather see discussion on the subject than an immediate revert; not that I’m against reverting in any way. Let’s make the changes, if we do decide to make any, be beneficial. I don't think this is how it should work. This is a pretty big change in voting process, it should be discussed *first*, and only then merged, if it's agreeable. Going back to the old first merge, then maybe discuss if enough people protest is not a good development. It's not the PHP source code but the community environment now but it doesn't differ - we should still do it the right way. I don't see this change as anything urgent or necessary to be put in immediately, and there are obvious objections from many people - myself included, btw. So let's please first back off the controversial change and then discuss it. It had been around for such a long time that I figure any complaints would have been raised and addressed between the initial PR [1] and now. Funny Nobody looked at this PR or knew it is going to be merged. That's why we have a process of announcing things and initiating discussion - because most people don't regularly review all pulls that are pending in all repos. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-WEBMASTER] com web/php: fix signature link: include/layout.inc
Hi! On Sun, Nov 17, 2013 at 3:52 PM, Stanislav Malyshev s...@php.net wrote: Commit:989246fb3b836e1695d3d869bac4ad11756bd774 Author:Stanislav Malyshev smalys...@gmail.com Sun, 17 Nov 2013 15:52:01 -0800 Parents: 17380e9c9de75d0b6037b8d3dbab6b347baadef1 Branches: master Link: http://git.php.net/?p=web/php.git;a=commitdiff;h=989246fb3b836e1695d3d869bac4ad11756bd774 Log: fix signature link Are you sure those files are correct? Both verify fine for me with local packages and ones downloaded from us1.php.net. Where did you download the packages from? -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-WEBMASTER] Sec Bug-Bug #64379 [Opn]: PECL account application: double escaping bug
Edit report at https://bugs.php.net/bug.php?id=64379edit=1 ID: 64379 Updated by: s...@php.net Reported by:marco at m-s-d dot eu Summary:PECL account application: double escaping bug Status: Open -Type: Security +Type: Bug Package:Website problem PHP Version:Irrelevant Block user comment: N Private report: Y Previous Comments: [2013-03-07 19:22:15] marco at m-s-d dot eu Description: The PECL account application form on pecl.php.net/account-request.php suffers from a double-escape bug: the character becomes escaped in plaintext emails, as can be seen on http://news.php.net/php.pecl.dev/10430 -- Edit this bug report at https://bugs.php.net/bug.php?id=64379edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
