On Wed, Apr 17, 2019 at 12:44 AM Stanislav Malyshev
wrote:
> Hi!
>
> > 2. Improve caller control on unserialization. Change the signature to
> > public Phar::getMetadata ( mixed $allowed_classes = true ) : mixed, and
> > invoke the behavior similar to how unserialize itself works. Since all
> >
Hi!
> 2. Improve caller control on unserialization. Change the signature to
> public Phar::getMetadata ( mixed $allowed_classes = true ) : mixed, and
> invoke the behavior similar to how unserialize itself works. Since all
> of this problem stems from the use of untrusted content on the phar://
>
Hi!
> This issue was discussed in this list before.
> As long as PHP calls unserialize for phar metadata, object injection is
> possible
> which may allow malicious code execution.
Right. That's why I want to make it not unserialize this data unless
it's explicitly being requested.
> I'm not
On Tue, Apr 16, 2019 at 10:55 PM Bishop Bettini wrote:
> On Tue, Apr 16, 2019 at 6:38 AM Yasuo Ohgaki wrote:
>
>> On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev
>> wrote:
>>
>> > Hi!
>> >
>> > > Thanks for responding to this issue.
>> > >
>> > > Will calling getMetaData still parse and
>>
Somebody wrote somewhere:
>
> > Would you agree if things are done correctly that it is in everyone's best
> > interests to keep a solid and well-maintained driver for InterBase and
> > Firebird in the core?
No.
When PHP first became widely used, distributing software was
difficult, and having
On Di, 2019-04-16 at 09:46 -0600, Levi Morrison wrote:
>
> I'd be happy to work help with the CMake port, as I know it a decent
> bit, but I don't have enough time to champion the whole thing.
>
That has been done ages ago:
http://svn.php.net/viewvc/php/cmake/
Back then it didn't have any
Hi
Den tir. 16. apr. 2019 kl. 20.38 skrev Jason Wharton :
>
> Kalle,
>
> I am not intimately aware of the details of how things have been maintained
> in the past by Lester. But, it didn't sound to me as if Lester was patching
> his own build of PHP or trying to take short-cuts in a bad way. He
On 16/04/2019 18:20, Kalle Sommer Nielsen wrote:
Everytime the topic of interbase comes up, you always referer to
applying fixes, yet I'm yet to see any contributions from you to
actually maintain the code at php-src, am I to understand that this
means you patch your own builds of PHP? Because
Den tir. 16. apr. 2019 kl. 20.09 skrev Lester Caine :
> The 'advantage' up to now of being in core has been that the BULK of the
> code changes have been required to track changes in the PHP side of the
> interface. The core SQL interface has not basically changed so up until
> now it has worked
On 16/04/2019 14:29, Chase Peeler wrote:
Not once has the fact that an extension exists in PECL instead of core
prevented me from utilizing that extension. The only thing that has ever
prevented me from using an extension is when it is not maintained. I've
been following this entire thread, and
If we change anything about our build system, I think it ought to be
switching to CMake instead. This supports multiple backends, including
generating project files for IDEs, and is designed to be portable,
instead of targeting only GNU systems. This means we can use a single
build system instead
On Sun, Apr 14, 2019 at 12:07 PM Peter Kokot wrote:
> Hello,
>
> people familiar with the PHP *nix build system today can be probably
> counted on the fingers of two hands, so I'm hoping to get some answer
> also here.
>
> Does anyone maybe still have any insights on which Make version does
>
On Tue, Apr 16, 2019 at 6:38 AM Yasuo Ohgaki wrote:
> On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev
> wrote:
>
> > Hi!
> >
> > > Thanks for responding to this issue.
> > >
> > > Will calling getMetaData still parse and
> > > execute malicious code?
> >
> > If it's contained in phar and
On Tue, Apr 16, 2019 at 8:12 AM Kalle Sommer Nielsen wrote:
> Hi
>
> Discussions regarding PHP should be in the public and on the PHP
> internals mailing lists, not in private so I'm forwarding this email
> to its proper place.
>
> Den tir. 16. apr. 2019 kl. 02.40 skrev Jason Wharton :
> > I
Hi
Discussions regarding PHP should be in the public and on the PHP
internals mailing lists, not in private so I'm forwarding this email
to its proper place.
Den tir. 16. apr. 2019 kl. 02.40 skrev Jason Wharton :
> I would like to introduce myself as the newly elected President of the
> Firebird
On Mon, Apr 15, 2019 at 3:28 PM Stanislav Malyshev
wrote:
> Hi!
>
> > Thanks for responding to this issue.
> >
> > Will calling getMetaData still parse and
> > execute malicious code?
>
> If it's contained in phar and serialized data and the surrounding code
> (I understand that most techniques
16 matches
Mail list logo