Hi Levi,
- Original Message -
From: "Levi Morrison"
Sent: Thursday, August 06, 2015
Don't know about Windows now... Visual Studio 2008 and 2012 (not much
difference) are NOT optimizing away the code (other times it was GCC with
issues). :-/ Not sure why. Of course they don't support
> Don't know about Windows now... Visual Studio 2008 and 2012 (not much
> difference) are NOT optimizing away the code (other times it was GCC with
> issues). :-/ Not sure why. Of course they don't support the necessary
> compound literals anyway, but I was just testing a manual case... I'll ha
Thanks for your feedback, Anthony.
I'll take a few of your points in turn.
With regards to the fact that not all SQL queries are directly
parameterizable, this is true. Structural parts of a query, such as table
names, column names and complex conditions are hard to parameterize with
"vanilla" pr
Hi Dmitry,
- Original Message -
From: "Dmitry Stogov"
Sent: Monday, August 03, 2015
Hi Matt,
On Wed, Jul 22, 2015 at 11:16 PM, Matt Wilmas
wrote:
Hi again Dmitry, all,
Hopefully the final update on this, before all is revealed... :-)
[...]
I tried to rush and finish things up be
All,
I'd like to move the conversation towards a decision regarding PRs
1397 and 1398. These decisions are blocking random_compat as well as a
security enhancement to random_bytes (merge conflicts are *the
worst*).
Here's a quick recap
Arguments:
1. Consistency is more important than security.
Matt,
> To be clear: this feature does not track taint through escape functions,
> regular expression filters, ctype_filters and the like by design. Security
> best-practice and more than a decade of security consulting experience show
> that developers who rely on filters and escaping rarely mana
> Am 05.08.2015 um 04:57 schrieb Pierre Joye :
>
> On Wed, Aug 5, 2015 at 3:40 AM, Bob Weinand wrote:
>>
>>> Am 3.8.2015 um 22:54 schrieb Scott Arciszewski :
>>>
>>> Hi,
>>>
>>> I would like to make it easier for PHP developers to implement
>>> cryptography features in their applications. I in
On 05.08.2015 at 17:30, Nicolas Grekas wrote:
>> For windows, there is no path normalization either btw. It would makes
>> realpath more expensive.
>
> I don't know what you mean by "no path normalization", but as far as the
> case is concerned, there IS normalization:
> var_dump(realpath(strtolo
Thanks for the feedback Anthony and Julien,
The case you refer to using mysqli_real_escape_string is addressed in the
RFC, and cannot be injected when this feature is enabled, as the query is
always marked as tainted and always blocked, regardless of the connection.
Here's your example running on
On Aug 5, 2015 10:30 PM, "Nicolas Grekas"
wrote:
>>
>> For windows, there is no path normalization either btw. It would makes
realpath more expensive.
>
>
> I don't know what you mean by "no path normalization", but as far as the
case is concerned, there IS normalization:
> var_dump(realpath(strto
>
> For windows, there is no path normalization either btw. It would makes
> realpath more expensive.
>
I don't know what you mean by "no path normalization", but as far as the
case is concerned, there IS normalization:
var_dump(realpath(strtolower(__FILE__)));
var_dump(realpath(strtoupper(__FILE_
All,
On Wed, Aug 5, 2015 at 10:40 AM, Julien Pauli wrote:
> On Tue, Jul 28, 2015 at 7:33 PM, Matt Tait wrote:
>
>> Hi all,
>>
>> I've written an RFC (and PoC) about automatic detection and blocking of SQL
>> injection vulnerabilities directly from inside PHP via automated taint
>> analysis.
>>
>
> Am 05.08.2015 um 17:06 schrieb Pierre Joye :
>
> Hi,
>
> On Aug 4, 2015 7:23 PM, "Nicolas Grekas"
> wrote:
>>
>> Hello,
>>
>> I reported this bug one year ago (https://bugs.php.net/67220) and it is
> now
>> closed as "not a bug". I'd like this to be reconsidered.
>>
>> The documentation o
Hi,
On Aug 4, 2015 7:23 PM, "Nicolas Grekas"
wrote:
>
> Hello,
>
> I reported this bug one year ago (https://bugs.php.net/67220) and it is
now
> closed as "not a bug". I'd like this to be reconsidered.
>
> The documentation of realpath() says:
>
> > realpath() expands all symbolic links and reso
On Tue, Jul 28, 2015 at 7:33 PM, Matt Tait wrote:
> Hi all,
>
> I've written an RFC (and PoC) about automatic detection and blocking of SQL
> injection vulnerabilities directly from inside PHP via automated taint
> analysis.
>
> https://wiki.php.net/rfc/sql_injection_protection
>
> In short, we m
On Tue, Aug 4, 2015 at 4:39 PM, Ferenc Kovacs wrote:
> On Tue, Aug 4, 2015 at 2:22 PM, Nicolas Grekas <
> nicolas.grekas+...@gmail.com
> > wrote:
>
> > Hello,
> >
> > I reported this bug one year ago (https://bugs.php.net/67220) and it is
> > now
> > closed as "not a bug". I'd like this to be rec
On Aug 5, 2015 9:17 AM, "Anthony Ferrara" wrote:
>
> All,
>
> > How about Anthony Ferrara (a board member for the
> > Password Hashing Contest)?
>
> For the record, my only involvement with the PHC is as a passive
> observer. I am not on the board nor have I been actively involved.
>
> Anthony
Y
All,
> How about Anthony Ferrara (a board member for the
> Password Hashing Contest)?
For the record, my only involvement with the PHC is as a passive
observer. I am not on the board nor have I been actively involved.
Anthony
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscr
On Tue, 2015-08-04 at 18:36 +0200, Ferenc Kovacs wrote:
> personally I would prefer moving to something like google groups and doing
> in a way that we can preserve archives (
I have no experience with google groups in a day o day usage basis. So
I can't judge what they might do better. But a fun
On Mon, 3 Aug 2015 at 21:54 Scott Arciszewski wrote:
> Hi,
>
> I would like to make it easier for PHP developers to implement
> cryptography features in their applications. I intend to work on some
> of these ideas and submit them for inclusion in PHP 7.1.
>
> Some of these might be familiar to s
On Tue, 4 Aug 2015, Ferenc Kovacs wrote:
> On Tue, Aug 4, 2015 at 7:18 PM, Scott Arciszewski
> wrote:
>
> > On Tue, Aug 4, 2015 at 12:36 PM, Ferenc Kovacs wrote:
> > > On Tue, Aug 4, 2015 at 6:12 PM, Terry Cullen wrote:
> > >
> > >> On Tuesday, 4 August 2015, Johannes Schlüter
> > >> wrote:
>
Hi all,
On Fri, Jul 31, 2015 at 4:44 PM, Yasuo Ohgaki wrote:
> On Thu, Jul 30, 2015 at 6:06 PM, Nikita Popov
> wrote:
>
>> On Thu, Jul 30, 2015 at 1:25 AM, Yasuo Ohgaki wrote:
>>
>>> Hi all,
>>>
>>> On Thu, Jul 30, 2015 at 7:44 AM, Yasuo Ohgaki
>>> wrote:
>>>
On Thu, Jul 30, 2015 at 1:13
Results for project php-src-nightly, build date 2015-08-05 05:00:00+03:00
commit: 668ecaa606b3203311b3329fcbd49b59f715e1e4
revision_date:2015-08-04 18:21:05+03:00
environment: Haswell-EP
cpu: Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz 2x18 cores, stepping 2,
LLC 45 MB
23 matches
Mail list logo