Hi, I've been using PHP for a long time and have recently found a
couple of major bugs that would allow pretty much any user on a shared
web hosting server to read other user's files. The conditions for this
exploit are quite common. Also, from what I can tell, this exploit
would not be very
Is that a publically accessable mailing list or does it just go to a
few people?
On Mon, Apr 04, 2005 at 04:35:59AM GMT, Rasmus Lerdorf [EMAIL PROTECTED] said
the following:
> Such issues should be directed to [EMAIL PROTECTED]
>
> Mark Krenz wrote:
> > Hi, I've been
I agree
I give it a -1 too.
On Mon, Jun 06, 2005 at 07:04:56AM GMT, Sascha Schumann [EMAIL PROTECTED] said
the following:
> > So +1 from me. (wasn't there a patch for this already somewhere?)
>
> PHP has enough horrid language misfeatures. It does not need
> another one. Seeing th
suso.org/xulu/Web_hosting_providers_with_poor_security),
this will just make many more insecure as well. Even the ones that try
at least somewhat to protect themselves.
Mark
On Mon, Aug 27, 2007 at 05:59:16AM GMT, Rasmus Lerdorf [EMAIL PROTECTED] said
the following:
> Mark Krenz wrote:
&g
On Mon, Nov 05, 2007 at 05:28:07PM GMT, Cristian Rodriguez [EMAIL PROTECTED]
said the following:
>
> safe_mode does not really resist any analysis, whoever convinced you
> that it is a good thing does not have a clue.
>
I've done the analysis, so you're saying that I don't have a clue. I
don
On Mon, Nov 05, 2007 at 06:35:50PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
said the following:
>
> That's how textdrive/joyent do this and they are more than happy with
> this approach.
>
Oh really? Read the section on Joyent/Textdrive here:
http://suso.suso.org/xulu/Web_hosting_providers_
That's obvious and I do offer that. But what about users in a shared
environment? There has to be a way to have cheaper accounts for people
and the way to do that is to put a couple hundred of them on a machine.
On Mon, Nov 05, 2007 at 06:42:35PM GMT, Michael McGlothlin [EMAIL PROTECTED]
sai
On Mon, Nov 05, 2007 at 07:02:05PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
said the following:
> Did you just ignore the part about fastcgi?
>
No I didn't, I just feel that fastcgi/suexec/mod_suphp doesn't handle
all of the ready to run programs out there completely. Besides that, the
whole po
Yes, this is what I'm talking about. Now is the time to do this
before some distribution of Linux or whatnot includes a version of PHP 6
that would not have this feature.
I'm sorry I can't code very well in C. But I'd be willing to write
documentation or a migration guide or something. Jus
On Tue, Apr 14, 2009 at 03:11:10PM GMT, Arvids Godjuks
[arvids.godj...@gmail.com] said the following:
>
> Yes, it's really irritating to write http://suso.org/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
this STDIN data size limit when using
proc_open?
I've tried setting the limits for apache to unlimited in
/etc/security/limits.conf just to see if its a system limit.
- Forwarded message from Mark Krenz <[EMAIL PROTECTED]> -
Date: Sun, 22 Jan 2006 00:25:33 +
From: Ma
Well, the program that I'm really doing this with has a -o option to
write its data out to a file and when I use that option I have the same
problem with it only taking the first 64KB on stdin.
On Mon, Jan 23, 2006 at 04:48:12AM GMT, Nicolas Bérard Nault [EMAIL PROTECTED]
said the following:
>
te() syscall could only write
> 64k; since you're ignoring the return code from fwrite(), you're
> missing this vital fact.
>
> Using the streams functions in PHP 5 helps you to write code that
> "does what I mean", and makes for shorter, more readable code.
>
&g
I sent this to the php-general mailing list but nobody seemed to be
able to help me there.
I run a shared webserver with a few hundred vhost containers in
Apache's config. Recently I got to a point where I added enough vhosts
to cause a problem with curl functions in PHP. Basically, when PH
I really can't upgrade right now. Basically, I'd be risking breaking
the machine because I'd have to upgrade to a newer support version of
Fedora that might have some incompatibilities with some custom packages
I've setup and end up having way too much downtime. Even if it was at 3
in the morn
riencing.
Mark
On Thu, Sep 21, 2006 at 03:28:28PM GMT, Mark Krenz [EMAIL PROTECTED] said the
following:
>
> I really can't upgrade right now. Basically, I'd be risking breaking
> the machine because I'd have to upgrade to a newer support version of
> Fedora that m
I just found this out a couple days ago when I checked the ereg manual
page for something and was shocked. I searched around a bit but
couldn't find a straight answer on why this function is being removed?
Did the deprecation notice just get made in 5.3 or has it been there
longer than that?
T
is faster.
>
> It is a decision forever. Do not expect it to come on PHP 5.4 (?) or PHP 6.
>
> Cheers,
>
> On Mon, Oct 12, 2009 at 12:46 PM, Mark Krenz wrote:
> >
> > I just found this out a couple days ago when I checked the ereg manual
> > page for somethi
ess we get a volunteer to do that, they are gone.
> It is not a question of simply leaving in what we have today. It
> technically won't work.
>
> -Rasmus
>
> Mark Krenz wrote:
> > Ok, let me first say that I have no problem with deprecating it in
> > favor
On Mon, Oct 12, 2009 at 04:27:02PM GMT, Pierre Joye [pierre@gmail.com] said
the following:
>
> The ereg functions cannot work with Unicode and can't be fixed without
> rewriting them. Nobody likes to do it as pcre works just fine and has
> many active maintainers (inside and outside php).
>
On Mon, Oct 12, 2009 at 05:12:47PM GMT, Pierre Joye [pierre@gmail.com] said
the following:
>
> Let me use another example to make you understand the situation.
>
> I bought a car, which is great, I can repair it myself, can drive
Car analogies are seldomly an accurate portrayal to the sit
On Mon, Oct 12, 2009 at 05:12:43PM GMT, Christian Schneider
[cschn...@cschneid.com] said the following:
> Mark Krenz wrote:
> > But I'm willing to bet that the majority of people are using ereg, not
> > PCRE. I've known about PCRE in PHP for a while now, but I continu
On Mon, Oct 12, 2009 at 05:34:08PM GMT, Olivier B. [php-dev.l...@daevel.fr]
said the following:
> And as far as I know, using ereg_* function is discouraged in the
> documentation since PHP 4, 10 years ago, no ?
>
Discouraged, no. From looking at archive.org, it looks like there has
been thi
On Mon, Oct 12, 2009 at 05:08:33PM GMT, Lukas Kahwe Smith [...@pooteeweet.org]
said the following:
> Wow, you sure do assume a lot of things about PHP and its development
> community. I have never seen your name on this list before and (now I
> am assuming) do not know the state of development
On Mon, Oct 12, 2009 at 05:55:25PM GMT, Carl P. Corliss [rabb...@gmail.com]
said the following:
>
> Code Search of: "eregi?(_replace)?\( lang:php" shows ~123,000 results
> Code Search of:
> "preg_(filter|grep|last_error|match_all|match|quote|replace_callback|replace|split)\(
>
> lang:php" show
On Mon, Oct 12, 2009 at 06:34:02PM GMT, Tomas Kuliavas
[to...@users.sourceforge.net] said the following:
>
> preg_quote() and preg_last_error() are support functions. They are used
> together with other pcre functions. You double some search results.
>
> If you have to support something, it is n
On Mon, Oct 12, 2009 at 07:22:10PM GMT, Robert Cummings [rob...@interjinn.com]
said the following:
>
> You are obviously right of course... the PHP world is NOT ready for the
> POSIX regex library to be dropped. That's why it's "deprecated" in PHP
> 5.3 and not removed. In a year or 3, when PHP
On Thu, Jan 11, 2007 at 04:17:31PM GMT, Alain Williams [EMAIL PROTECTED] said
the following:
> On Thu, Jan 11, 2007 at 05:04:30PM +0100, Stefan Esser wrote:
>
> > PS: Stop the "We are secure" marketing and face reality
>
> More to the point: ''We might be secure because we are careful experience
First of all I don't want this to sound like a personal attack, its
professional. I just encountered something that really aggrevates me
about the state of PHP and I want to be heard by the developers.
I just read through this document,
http://www.php.net/~derick/meeting-notes.html
and
On Sun, Aug 26, 2007 at 09:15:54PM GMT, Stanislav Malyshev [EMAIL PROTECTED]
said the following:
> No more and no less than any other scripting language, I'd say. And the
> reason for that - it should be done on the OS level, not on the language
> level. OS possesses the capability and created w
30 matches
Mail list logo
