[PHP-DEV] Language Auto Detection / www.php.net

url after all searches to /en/ The site should at least be so intelligent to search in the /en/ part of the manual if I search from an /en/ page. Stefan Esser -- -- Stefan Esser

[PHP-DEV] Am I drunken?

Hi, is it only me, or is every php-dev mail sent out twice nowadays? I get every mail at least 2 times. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] GIF support

On Thu, Nov 21, 2002 at 10:25:57AM -, James Cox wrote: > guys, how about we just like leave this for a couple of months till 2003 > when the patent runs out? > > -- james I was just joking... Anyway I dislike all this patent shit. Stefan Esser -- PHP Development Mailin

Re: [PHP-DEV] GIF support

it on your harddisk, or? Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] GD 2.0.4

What happened to the GD lib folks? Every day a new version now? ;) Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Funny guys...

Morning, were there any problems with the cvs server yesterday? In my commit from yesterday morning i added the line pp++, this was commited as p++. In my file on the harddisk there is clearly a pp++ and NOT a p++. (Which makes no sense anyway) Stefan -- PHP Development Mailing List

Re: [PHP-DEV] Re: Fixing socket reads

Just wanted to say that I just tested ftp_fopen wrappers and whatever was added/modified in the stream code since i added ftps_fopen wrapper a few weeks ago must have broken it badly. Right now the gets() simply blocks... That was not the case a few weeks ago... Stefan -- PHP Development Mailin

Re: [PHP-DEV] Streams-Change ?!

On Thu, Oct 03, 2002 at 01:54:46PM +0200, Marcus Börger wrote: > There are problems especially in the streams seeker function at least. > > marcus Problem was in ext/ftp. Thanks anyway. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/uns

[PHP-DEV] Streams-Change ?!

Hi, was there a change of the streams EOF functions? I added some functionality to ext/ftp and must see that ftp_put uploads one byte less than the filesize. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] utime() problems

On Tue, Sep 17, 2002 at 04:43:41AM -, Steph wrote: > There have been a lot of changes to that file in a very short space of > time, I'll look again. Yes there have been but basicly rasmus broke it with this commit! Linux 2.2 does not allow any other 2nd parameter than NULL if the touch()er is

Re: [PHP-DEV] [Fwd: PHP fopen() CRLF Injection]

On Thu, Sep 12, 2002 at 10:47:12AM +0100, James Cox wrote: > Stefan, > > is this really worth it? I think this will break too many scripts. > > -- james My change only changes parse_url() to remove characters that are invalid in urls. If such characters occur in an url that is passed to parse_

Re: [PHP-DEV] [Fwd: PHP fopen() CRLF Injection]

Hi, > We got close one that Jani mentioned in bug db :) > > It's user's problem, but I'm sure there are many > scripts do not check user input enough. > > We're probably better to mention security risks more > in the manual... I fixed this issue in CVS in the way that parse_url() removes cont

Re: [PHP-DEV] Re: REPOST: PHP 4.2.3 Released

> Showed up fine before That is strange because I did not receive it over the list and it is not in the php-dev web archive. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] REPOST: PHP 4.2.3 Released

. Thanks, Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: #19286 [NEW]: header() Control Char Injection

tion" is used. [ ] His Java Script will be executed. Stefan Esser PS: Is php-dev censored? Or why disappeared my mail about MD5/GPG signs of PHP 4.2.3... Is there some autofilter on "group says everytime: we do it the next time?" -- PHP Development Mailing List <http://ww

[PHP-DEV] PHP 4.2.3 Released...

times that php.net servers are secure. Even if that is true (I somehow doubt it), you cannot ensure that all Mirrors are secure. Especially because your own statistics show that some of them are running old software. Thanks, Stefan Esser -- PHP Development Mailing List <http://www.php.net/&

Re: [PHP-DEV] mbstring

> AFAIK, there is no serious bug in mbstring. > If there is serious problem, let us know so that it can be > addressed. Then start with removing double url decoding of the input... and then fix the "mad" separator counter ... Stefan -- PHP Development Mailing List To unsu

Re: [PHP-DEV] Problem with http://php.net

Back to the topic... When will the MX be up again? Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Problem with http://php.net

> This goes to everyone who has root or sudo on the boxes.. for example i'll > get paged if something gets broken. This should guarentee a faster response > time (although, php-dev works too :)) Wow. I guess your pager does not stand still a second then... :) Stefan -- PHP Development Mailin

[PHP-DEV] ZendAPI - zend_atoi

Hi, could we change zend_atoi to use strtol instead of atoi? Otherwise I cannot use OnUpdateInt for the default_umask switch because atoi does not support octal values. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] [USER-FEATURE-REQUEST]: umask in php.ini

Hi all, some FreeBSD guy just asked for support of a default umask flag per Virtual Host. I told him auto_prepend_file as workaround, but if noone objects I am going to commit some default_umask switch into cvs by tommorow. Stefan -- PHP Development Mailing List To unsub

Re: [PHP-DEV] UTF-8 encoding

On Sun, Aug 25, 2002 at 09:21:01PM +0200, Stig Venaas wrote: > Great, I've been wondering why UTF-8 wasn't defined like that > in the first place. Could you please give me a pointer to the > addition? It is defined in RFC 2279. Regards, Stefan -- PHP Development Mailing List

[PHP-DEV] UTF-8 encoding

forget my last mail... I just found the addition myself. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] UTF-8 encoding

Hello, html.c / get_next_char() has an utf-8 decoder. The implementation is a little bit fishy. AFAIK utf-8 sequences are 1 upto 4 chars but this one supports 5, 6 byte utf-8 sequences. I wonder where this addition to the standard is defined.. The problem is the following: the german ue is 0xFC w

Re: [PHP-DEV] Problems uploading large files

> [error] PHP Warning: Only 1284 bytes were written, expected to write > 5119 in Unknown on line 0 Your /tmp directory is most likely full. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] trans-sid warning?

I do not understand the sense of this whole discussion. HTTP is a plaintext protocol. So nothing transfered over HTTP can be secure. No urls, no session no anything. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Weird?!?!

On Wed, Jul 31, 2002 at 07:24:05PM +0200, [EMAIL PROTECTED] wrote: > On Wed, 31 Jul 2002, Stefan Esser wrote: > > > should that be replaced with: > > > > result->value.lval = (long)dval; > > > > instead of calculating the multiplication again??? >

[PHP-DEV] Weird?!?!

result->value.lval = op1->value.lval * op2->value.lval; result->type = IS_LONG; } return SUCCESS; ... should that be replaced with: result->value.lval = (long)dval; instead of calculating the multiplication again??? Stefan

[PHP-DEV] New FTP extension functionality

Hi, yesterday I did several commits to the FTP extension. Due to the fact that I do not know how I can document the stuff myself and right now am lacking the time here is a brief instruction: Stefan Esser --- 5 new

Re: [PHP-DEV] safe_mode and files permissions q?

> yeah that's a solution but it doesn't work in case of mass hosting : can't update > php.ini for each new user and have it carry 2 peta zillions safe_mode_include_dirs :) just a guess: safe_mode_exec_dir=./script-data Stefan -- PHP Development Mailing List To unsubscrib

Re: [PHP-DEV] safe_mode and files permissions q?

Hi, > And user can't access this file. > Can I solve this problem by myself, or it's Engine trouble..? If you really really need to create and access files from your script then create a directory within your document root like "script-data" set safe_mode_include_dir to this directory. This shou

Re: [PHP-DEV] Fw: PHP content-disposition vuln

Hi all, this is not a worm. According to the logs someone attacked this guy with one of the TESO exploits 7350fun or 73501867 in bruteforce mode. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] RFC: slight change to exec functions (Was Re: [PHP-DEV] why does exec() use the shell?)

> Are there any objections to making such a change? I don't think it > has any BC implications. It will have BC implications ;) Because it would finally allow to pass multiple parameters to a program when in safe mode... Stefan -- PHP Development Mailing List To unsubs

Re: [PHP-DEV] [PATCH] or Karmarequest for zend_llist.c

> since there obviously was never a talk on this list about and > out of curiosity, how can the leak be reproduced? zend_llist_remove_tail does not call the dtor of the element that gets removed. This will cause a memory leak everywhere it is used and where the dtor is != NULL. Within the

[PHP-DEV] [PATCH] or Karmarequest for zend_llist.c

Hi, herewith i send my patch for the memory leak within ZendEngine(1/2). This was discussed with Zeev and Andi before but noone fixed it. So please apply the patch now, or give me the karma and I do it myself... Stefan --- zend_llist.c.orig Wed Jun 5 13:58:41 2002 +++ zend_llist.cWe

Re: [PHP-DEV] Discourage use of short tags

Hi, Removing the short tags from future php releases, or disabling them by default, is like stripping functions from glibc because they do not exist on other platforms. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.

Re: [PHP-DEV] Please forward to the list, I'm not a member anymore... (fwd)

Morning, > > It is GPL > > Then we can't use it with PHP... sorry, but I do not see your point. How can optional support for a GPL library in PHP violate the GPL? Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] RE: [PHP-QA] Supporting Apache 2 with PHP 4.2.0

Morning, > How can there be if we remove apache2 completely ? :) Hmm i don't know how much work must be put into the apache2 support i just know that people are discussing everywhere (f.e. slashdot) when finally PHP will support Apache2. It depends what you like more... Beta code tested in t

Re: [PHP-DEV] 4.1.3?

want the newest version. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Re: Session patch

Sorry, what do you want to tell us? Your mail doesn't make any sense. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] file upload issue in HEAD

Hi, > Did you turn off file_uploads in your php.ini before testing? I just > double-checked in the 4.2 branch and turning off file_uploads makes the > variable disappear for me. Ahhh then I misunderstood your mail. I thought you mean in 4.1.2 if you do not upload a file (only fill the input fie

Re: [PHP-DEV] Session patch for ID created by handler

+ 3.14159 Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] file upload issue in HEAD

> By the way, this didn't work at all in 4.1.2. Any Sorry but I cannot reproduce this. The _REQUEST array is filled here. The only strange thing is that phpinfo doesn't show it... But var_dump and print_r do... Stefan -- PHP Development Mailing List To unsubscribe, visi

Re: [PHP-DEV] Re: Re: Session patch

Hi, > Have a look at www.sevenval.com. Sorry everything is German. If you Hmm yeah but if your browser is really not able to do proper content negotiation, there is still an "english" button in the right lower edge of the page... > regocnize what I mean. The generated URLs are patents. > Please

Re: [PHP-DEV] Re: Re: Session patch

Hi, I have not followed the discussion, but its nonsense to force people to use PHP generated session IDs. Its an argument against using PHP. There are several situations where it is not possible to let PHP generate the session ids. Especially if you use stuff like the Sevenval FIT or HIT technol

Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4 /ext/standard basic_functions.c basic_functions.h

Hi, > (or even just make it so that when safe mode is on, it is smart enough > to allow opening files that were uploaded without doing the uid check?) ehmm safe_mode already does that. I don't see the need for the new function anyway, cause safe_mode doesn't do the uid check on uploaded files.

Re: [PHP-DEV] Question concerning zend_mem_header

nd the use of it. Maybe i will create an inofficial "Zend hardening patch" for *BSD users. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Question concerning zend_mem_header

ly on Solaris/Linux and maybe Windows. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] OT? buffer overflow attacks

PHP flaw is too hard to realisticly exploit it? The guys who are responsible for lot of admins not upgrading because they believe "that it is too hard to exploit?" Stefan Esser PS: anything written in this mail is my personal opinion and I do not speak for the rest of the php develo

Re: [PHP-DEV] [BUG]vulnerabilities in PHP's file uploadcode - still uncovered in 4.1.2

Ehmm there is one thing that makes it more serious than the other crash bugs: its remotely triggerable. But honestly i doubt a kiddie will use this bug to dos a server. Apache will respawn all its childs anyway and for the kids its much easier to use their stupid smurf or whatever tools, than to

[PHP-DEV] Bug #16128

Hi, The problem is, that php_checkuid was broken since PHP 4.? move_uploaded_file doesn't check openbasedir restriction should we add that? Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] HEAD broken

current HEAD doesn't compile due to /ext/session/session.c, /ext/standard/var.c -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] exec + safemode

Hi, It is not off topic. Its an annoying bug and I asked around if I oversee something if i change php_escape_shell_cmd to ignore stuff between quotes. (off course checking for escaped quotes within the quotes) Stefan -- PHP Development Mailing List To unsubscribe, visit

[PHP-DEV] safe_mode + exec

Hi, i want your opinions for a clean solution of the safe_mode + exec problem. Right now it is not possible to execute stuff like /usr/local/bin/mybin "param 1" "param 2" because the whole line is passed to php_escape_shell_cmd Is there any problem that i oversee, if we simply overjump quote

[PHP-DEV] exec + safemode

Morning, (maybe i am just blind...) I doubt this can be counted as support question *grin* Has anyone of you ever tried to exec a command while in safe_mode? exec ("blub"); works fine, but it seems impossible to give a param to blub that has spaces in it. Stefan -- PHP Development Mailing L

Re: [PHP-DEV] PHP audit project

Hi, > PHP is already infected. Sorry, my fault. I have overseen that. I just wanted to clearify what strlcat and strlcpy are. I dislike OpenBSD because of several reasons but this list is not the right place to discuss anything like this. > But that's ok. If you don't want us to work on PHP,

Re: [PHP-DEV] PHP audit project

Hi, strlcpy and strlcat are inventions of the OpenBSD project. Since they invented those they are trying to "infect" other projects. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Have you seen the "PHP audit project"?

never get such arrogant messages like: "This bug was fixed in PHP hardening patch about a year ago". Exactly this happened with the SSH deattack hole. Stefan Esser -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: [PHP-CVS] cvs: php4 /main rfc1867.c

> Hi Stefan, could you shortly explain why a single browser needs such a > workaround? Since Opera 6.01 is less than a month old, shouldn't they be the > ones fixing such a problem? Have you talked to them about it? It is not really a workaround it makes the fileupload behave more RFC conform. Th

[PHP-DEV] Snapshot binary release...

Hi, Could it be possible to package a Windows Snapshot Binary Release? People again and again have header() problems and as long they are using some form of unix i can tell them to patch the one line into it. But i doubt a standard windows user has the build utilities and the skills to compile it

Re: [PHP-DEV] Disable magic quote by default.

ned to work without mqbd today. Hmmm btw... This idea just came to my mind and i don't know if it would be too much overhead, but what about keeping track of what variables got already magically quoted and do not quote them again if the script wants it. Stefan Esser -- PHP Development Mail

Re: [PHP-DEV] [patch] one script to handle them all

Hmm, maybe we should first hear if anyone has an argument against such an additional feature. I think its less overhead than mod_rewrite. +1 from me Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Bug #15523 Updated: Line Number

I know myself that you can workaround with an additional parameter. I just wanted to make you guys notice that you talk about different stuff. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: Bug #15523 Updated: Line Number

__LINE__ contains the current line number, not the callers linenumber, so its neither closed, nor bogus. Just my 2 cent Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PROPOSAL] defense against session takeovers

> How about that we use the SERVER_NAME environment variable when > generating session filenames? Instead of name like sess_, the name > could be sess__, where is a server fingerprint? I > understand that this is not foolproof (say, for applications > that run on the sam

Re: [PHP-DEV] [PROPOSAL] defense against session takeovers

Hi, i fully support rasmus, saying that we should mention the default configuration as unsafe in the documentation. Unlike Mr. Lorch or similiar people i do not think its our resposibility to configure the server for the admin. And i am a little bit tired about this whole session takeover discus

Re: [PHP-DEV] malformed header from script

The CVS is fixed now. I did not recognise that i broke SAPI.c because my apache did load the old module. Sorry for the wasted build time. Full blame on me Stefan -- PHP Development Mailing List To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EM

Re: [PHP-DEV] set_time_limit() bug - pending for PHP 4.1.0

What versions of apache are you guys running? -- PHP Development Mailing List To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP-DEV] CVS Account Request: s.esser

Hello, i would like to participate in the whole process of php development. for now i like to ask if i can maintain the filepro extension because afaik its unmaintained at the moment and full of bufferoverflow bugs, etc... SE -- PHP Development Mailing List To unsubscri

[PHP-DEV] CVSup - connection refused

Hi, I am trying for several weeks to mirror the CVS Repository via CVSup, but i permanently get a "connection refused" error. Is there no longer a CVSup server or is there just a temporary problem? thanks, stefan esser -- PHP Development Mailing List <http://www.php.net/> T