[PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Sascha Schumann]

The zend-equivalent is painfully slow.

- Sascha Experience IRCG
  http://schumann.cx/http://schumann.cx/ircg


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] CVS Account Request: kai

[Kai Liki]

I need access to phpdoc CVS repository for help with translating PHP manual into 
Russian.

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

Hmm, then it could be fixed, but we shouldn't introduce a new implementation.
Assuming you refer to the large number of output calls, they can be saved 
using output buffering - implementing localized buffering in every place is 
not a good way to go by.  I'm not sure output buffering was already there 
when php_html_puts() was introduced, though :)

Zeev

At 15:42 12/05/2002, Sascha Schumann wrote:
 The zend-equivalent is painfully slow.

 - Sascha Experience IRCG
   http://schumann.cx/http://schumann.cx/ircg


--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Ilia A.]

On May 11, 2002 06:56 pm, Chand wrote:

 The solution we've chosen is to have a cgi php binary instead of a
 module for security stuff. The main reason to do so was to have the
 user-created file have the user's uid. We had to suid the php binary and
 setuid() the process to the script's uid, of course. This seemed like a
 good security trouble-keeper (I know some people will say that setuid
 scripts and security in the same sentence usually ain't a good
 mix'n'match but .. :) )  since this let the filesystem take care of file
 permissions which seemed to me the most secure way, Ain't it ?
 Maybe the Open_basedir solution is a better one although i like the idea
 of files really owned by the user and not only virtually. The drawback
 on the cgi php binary is performance. We have lotsa trouble with php cgi
 binary not dying after the max_execution_time and stayin' alive on the
 machines. So we have to terminate them frequently. This has been
 reported I think a while back and said to be solved but looks like we
 have an environment that's unique in terms of number of requests per
 second and load averages, and that not a lot of people can use to test.
 So people might have the dead binaries sleeping around bug solved, but
 we don't.

As far as security is concerned this is probably the best approach, IMHO.  
Because by running PHP as this user you can use various OS kernel tools such 
as LIDS or GrSecurity to set limits of what each user can do and how many 
resources they can consume.


 Ilia, the scripts you talk about that eat up process, cpu, file pointers
 etc are very interesting, we've already gone against most of them except
 for the file handlers Attack. Never had that but I think i'm gonna talk
 about this with our NOC team cause it could be a very big issue now
 that's it's in the open :)

There are other ways to cause problems with PHP, we could probably go on for 
days documenting each way someone could use PHP to cause a problem on a 
server. 
Here is yet another example:
?php sleep(time()); ?
of
?php while(1) usleep(time()); ?

Now the script will sleep indefinately ignoring the set_time_limit parameter. 
This webserver thread is now in sleep mode for virtually forever, by 
repeatedly accessing such a script and attacker can prevent the webserver 
from serving actual web pages since all threads will be asleep.

But this is the nature of any programming/scripting language it allows you do 
can do things with it :P The ultimate bottom line is that if you do not trust 
your users to use the tools they are given appropriately then you shouldn't 
put those tools in their hands.


 Seriously, i've been surprised as to how low was the number of people
 trying to hack our system thru PHP. I was really afraid it would far
 worse, but this might not be the case everywhere, and we still have to
 be vigilant about all that security stuff.
 I too think that safe_mode is not a good thing and that open_basedir
 seems better and more secure.

 I'm willing to help on a PHP-ISP-Howto document even though but since
 i've never done such a thing, i'm not sure i can really do something
 good, Plus we might not have taken the best way of doing things around
 here. If anybody has comments and or solutions, I'm interested.

 Later
 Chand


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] mime help!

[Robert Ruddy]

ok i have that a script that is supposed to decode base64, the thing that
it's decoding is a email, html encoded. For some od reason it just puts the
message into funny characters. Does anyone know where I could get a tutorial
maybe on this subject if nobody wanted to help me. All help is appreciated



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Sascha Schumann]

On Sun, 12 May 2002, Zeev Suraski wrote:

 Hmm, then it could be fixed, but we shouldn't introduce a new implementation.
 Assuming you refer to the large number of output calls, they can be saved
 using output buffering - implementing localized buffering in every place is

I've just noticed that you have kicked out the premier
implementation of the same functionality in favor of the dog
slow old one.

Note that relying on output buffering alone is inferior,
because (a) it is not always enabled and (b) it does not
address the inherent flaws in the zend implementation.

I suggest reverting that commit and doing whatever is
necessary to improve the zend implementation.

This could be achieved by defining a function pointer
zend_html_puts with the same parameters as php_html_puts and
let applications set that function pointer.  The default
could continue to point to the current zend_html_puts code.

- Sascha Experience IRCG
  http://schumann.cx/http://schumann.cx/ircg


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

At 17:43 12/05/2002, Sascha Schumann wrote:
 I've just noticed that you have kicked out the premier
 implementation of the same functionality in favor of the dog
 slow old one.

I almost missed those idyllic descriptions :)

 Note that relying on output buffering alone is inferior,
 because (a) it is not always enabled

It can be enabled for this purpose alone, if you think it's that much of an 
issue (I don't, but I don't mind doing that either).

  and (b) it does not
 address the inherent flaws in the zend implementation.

What inherent flaws?  So far, the only difference between them that I could 
spot was that php_html_puts() was buggy, and did not convert series of 
spaces into nbsp;'s.  Otherwise, the only difference was the use of 
buffering.  I may have missed something, though.

 I suggest reverting that commit and doing whatever is
 necessary to improve the zend implementation.

 This could be achieved by defining a function pointer
 zend_html_puts with the same parameters as php_html_puts and
 let applications set that function pointer.  The default
 could continue to point to the current zend_html_puts code.

I don't see why it's necessary.  If you think buffering phpinfo() is really 
necessary, then we can enable buffering for it.

Zeev


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Sascha Schumann]

 What inherent flaws?  So far, the only difference between them that I could
 spot was that php_html_puts() was buggy, and did not convert series of
 spaces into nbsp;'s.  Otherwise, the only difference was the use of
 buffering.  I may have missed something, though.

That is not buggy, although it was not part of the original
php_html_puts.  IIRC, Jani put it in place to prevent
excessivily wide tables in phpinfo().  I would not mind
adding an option for that though, if the original behaviour
is required for some purpose.

- Sascha Experience IRCG
  http://schumann.cx/http://schumann.cx/ircg


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

At 17:58 12/05/2002, Sascha Schumann wrote:
  What inherent flaws?  So far, the only difference between them that I could
  spot was that php_html_puts() was buggy, and did not convert series of
  spaces into nbsp;'s.  Otherwise, the only difference was the use of
  buffering.  I may have missed something, though.

 That is not buggy, although it was not part of the original
 php_html_puts.  IIRC, Jani put it in place to prevent
 excessivily wide tables in phpinfo().  I would not mind
 adding an option for that though, if the original behaviour
 is required for some purpose.

What I'm pointing out is that there are no 'inherent flaws' in the 'dog 
slow' implementation that we already had for a couple of years.  If you 
want to add buffering, we can add buffering.  There's no point in adding a 
specialized buffered implementation.

The spaces issue is well implemented in the zend implementation (I also 
fixed it in the php_html_puts() implementation, before I removed it;  At 
some point, it was too much of a deja-vu, which is why I don't like 
duplicate implementations :)

Zeev


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Sascha Schumann]

 What I'm pointing out is that there are no 'inherent flaws' in the 'dog
 slow' implementation that we already had for a couple of years.  If you
 want to add buffering, we can add buffering.  There's no point in adding a
 specialized buffered implementation.

Well, php_html_puts has several advantages:

- it is buffering as you already noted without having to rely
  on the huge output-buffering infrastructure.  I have not
  benchmarked it, but I do assume that it is noticably slower
  than php_html_puts.

- it is faster due to passing TSRMLS around, instead of
  having to fetch it for *every* single examined byte.  This
  is especially significant in threaded environments such as
  Apache 2 or ISAPI.

- it is there and working fully. :-)

- Sascha Experience IRCG
  http://schumann.cx/http://schumann.cx/ircg


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

At 18:24 12/05/2002, Sascha Schumann wrote:
 - it is buffering as you already noted without having to rely
   on the huge output-buffering infrastructure.  I have not
   benchmarked it, but I do assume that it is noticably slower
   than php_html_puts.

 - it is faster due to passing TSRMLS around, instead of
   having to fetch it for *every* single examined byte.  This
   is especially significant in threaded environments such as
   Apache 2 or ISAPI.

I'm trying to understand why you care so much about its 
performance..?  There are cases where duplicating code for performance 
reasons makes sense, but I don't see how this function falls into that 
category.  Either way, enabling output buffering for it should definitely 
do the trick, even if it's a couple of percent slower than the specialized 
implementation.
Are you using it in some module?  Because the only code to currently make 
use of it is phpinfo(), and it isn't noticeably slow even in the current 
byte-by-byte method...

Zeev


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

I'd *really* like to avoid having two copies of the same code, 
though.  Please remove the duplicated implementation...

Zeev

At 18:24 12/05/2002, Sascha Schumann wrote:
  What I'm pointing out is that there are no 'inherent flaws' in the 'dog
  slow' implementation that we already had for a couple of years.  If you
  want to add buffering, we can add buffering.  There's no point in adding a
  specialized buffered implementation.

 Well, php_html_puts has several advantages:

 - it is buffering as you already noted without having to rely
   on the huge output-buffering infrastructure.  I have not
   benchmarked it, but I do assume that it is noticably slower
   than php_html_puts.

 - it is faster due to passing TSRMLS around, instead of
   having to fetch it for *every* single examined byte.  This
   is especially significant in threaded environments such as
   Apache 2 or ISAPI.

 - it is there and working fully. :-)

 - Sascha Experience IRCG
   http://schumann.cx/http://schumann.cx/ircg


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Sascha Schumann]

I favor php_html_puts also due to maintability reasons.
Please consider this part of code from zend_html_puts:

 !(((ptr+1)=end) || (*(ptr+1)==' ')) /* next is not a space */
 !((ptr==s) || (*(ptr-1)==' '))) /* last is not a space */ {

And contrast it with the inherent beauty of php_html_puts.

 I'd *really* like to avoid having two copies of the same code,
 though.  Please remove the duplicated implementation...

Ok, I'll implement the solution I posted earlier and make
zend_html_puts a function pointer.

- Sascha Experience IRCG
  http://schumann.cx/http://schumann.cx/ircg


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

At 18:34 12/05/2002, Sascha Schumann wrote:
 I favor php_html_puts also due to maintability reasons.
 Please consider this part of code from zend_html_puts:

  !(((ptr+1)=end) || (*(ptr+1)==' ')) /* next is not a space */
  !((ptr==s) || (*(ptr-1)==' '))) /* last is not a space */ {

 And contrast it with the inherent beauty of php_html_puts.

Ok, so I'll use your method.  By the way, there was nothing inherent in the 
two places you used 'inherent', on this topic :)

  I'd *really* like to avoid having two copies of the same code,
  though.  Please remove the duplicated implementation...

 Ok, I'll implement the solution I posted earlier and make
 zend_html_puts a function pointer.

Again, I fail to understand the logic behind it.  I'll change the space 
handling code to your method (which is indeed nicer);  Why on earth would 
we need to have a stupid HTML printout function as a function pointer?


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Sascha Schumann]

 Ok, so I'll use your method.  By the way, there was nothing inherent in the
 two places you used 'inherent', on this topic :)

php_html_puts is simple, consistent and easy to follow.
These are its essential characteristics, and thus they are
inherent.  But I digress.

 Again, I fail to understand the logic behind it.  I'll change the space
 handling code to your method (which is indeed nicer);  Why on earth would
 we need to have a stupid HTML printout function as a function pointer?

If you would also address the two performance aspects I
mentioned earlier, I would divert from my current stance that
php_html_puts should be used further.

Oh, wait and there is a third issue I did not think of
earlier.

Because zend_html_puts does not convert the whole string and
calls ZEND_PUTC/_PUTS for each token, not only does that
cause a TSRMLS_FETCH for every token, it also adds a jump
over an indirect function pointer each time (zend_write).
Thousands of such calls can easily add up and introduce a
significant and in this case unnecessary overhead.

php_html_puts can avoid this, because it knows about
PHPWRITE and calls it only once per string, instead of
a few dozen times.

The last point cannot be easily addressed other than by
supporting a redefinition of zend_html_puts by the
application.

- Sascha Experience IRCG
  http://schumann.cx/http://schumann.cx/ircg


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

At 19:00 12/05/2002, Sascha Schumann wrote:
  Again, I fail to understand the logic behind it.  I'll change the space
  handling code to your method (which is indeed nicer);  Why on earth would
  we need to have a stupid HTML printout function as a function pointer?

 If you would also address the two performance aspects I
 mentioned earlier, I would divert from my current stance that
 php_html_puts should be used further.

No, I believe that if we decide that performance is important enough, we 
make php_html_puts() be a wrapper around zend_html_puts() that uses output 
buffering.  The performance difference between an output buffering 
implementation and a specialized buffered implementation will most probably 
be negligible.  You still haven't said why we should even strive to make 
html_puts() as efficient as possible.  Again, the only place it's being 
used today is phpinfo(), and in all these years, I've yet to hear about a 
single person that complained about its performance :)

 Oh, wait and there is a third issue I did not think of
 earlier.

You could find a zillion such places, and it doesn't mean anything.  We 
have an infrastructure for a reason, and it makes sense to work around it 
only when you have an performance sensitive function, which html_puts() 
clearly is not.  The function pointer dereferences, as well as TSRM 
fetches, are completely negligible in comparison to the IO performance.

A small test I conducted, calling phpinfo():
No buffering:   12 req/s
Specialized OB: 36.3 req/s
PHP OB (C level, for each separate string): 35.9 req/s
PHP OB (userland, for the entire phpinfo()):50 req/s

I still don't think that we should care too much about the performance of 
this function, but if decide that we do, then turning it into a function 
pointer is not exactly the right thing to do :)

Zeev


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Fwd: Re: [PHP-DEV] Re: Any idea why we have two html_puts()'s?

[Zeev Suraski]

I messed up on the test, I left output buffering enabled for tests 2 and 
3.  So you can see that using output buffering on top of the global output 
buffering (whether specialized or not) slows you down by about 30%.

However, to be fair, the numbers w/o global output buffering enabled:

Specialied OB:  26 req/s
PHP OB (C level, for each separate string): 23 req/s

No buffering:   12 req/s
Specialized OB: 36.3 req/s
PHP OB (C level, for each separate string): 35.9 req/s
PHP OB (userland, for the entire phpinfo()):50 req/s

By far, the quickest solution is to use output buffering for the entire page.


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: [PHP-CVS] cvs: php4 /ext/mbstring config.m4

[Sebastian Bergmann]

Sascha Schumann wrote:
 WITH is solely for the purpose of pointing to paths and other external
 entities.

 Note that the comment has always mentioned --disable-mbstring which
 clearly refers to enable and not with.

  Shouldn't '--without-mysql' be renamed to '--disable-mysql' then?

-- 
  Sebastian Bergmann
  http://sebastian-bergmann.de/ http://phpOpenTracker.de/

  Did I help you? Consider a gift: http://wishlist.sebastian-bergmann.de/

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Segfault in current HEAD

[Sebastian Bergmann]

  Can't tell how to reproduce this, it occurs when working with Harald's
  form validation system, which is built on top of PEAR::XML_Transformer:

NTDLL! 778cb892()
NTDLL! 778cb733()
shutdown_memory_manager(int 0, int 0, void * * * 0x00b328d8) line 468 + 60
bytes
php_request_shutdown(void * 0x) line 818 + 34 bytes
main(int 1, char * * 0x00b324c8) line 1072 + 8 bytes
mainCRTStartup() line 338 + 17 bytes

-- 
  Sebastian Bergmann
  http://sebastian-bergmann.de/ http://phpOpenTracker.de/

  Did I help you? Consider a gift: http://wishlist.sebastian-bergmann.de/

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4 /ext/mbstring config.m4

[Jan Lehnardt]

Hi,
On Sun, 12 May 2002 19:33:13 +0200
Sebastian Bergmann [EMAIL PROTECTED] wrote:

   Shouldn't '--without-mysql' be renamed to '--disable-mysql' then?
you want to have --with-mysql=/path/to and --disable-mysql as the two
options ?
-1

Jan
-- 
Q: Thank Jan? A: http://geschenke.an.dasmoped.net/

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Segfault in current HEAD

[Zeev Suraski]

This trace isn't meaningful...

At 20:36 12/05/2002, Sebastian Bergmann wrote:
   Can't tell how to reproduce this, it occurs when working with Harald's
   form validation system, which is built on top of PEAR::XML_Transformer:

NTDLL! 778cb892()
NTDLL! 778cb733()
shutdown_memory_manager(int 0, int 0, void * * * 0x00b328d8) line 468 + 60
bytes
php_request_shutdown(void * 0x) line 818 + 34 bytes
main(int 1, char * * 0x00b324c8) line 1072 + 8 bytes
mainCRTStartup() line 338 + 17 bytes

--
   Sebastian Bergmann
   http://sebastian-bergmann.de/http://phpOpenTracker.de/

   Did I help you? Consider a gift: http://wishlist.sebastian-bergmann.de/

--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4 /ext/mbstring config.m4

[Sebastian Bergmann]

Jan Lehnardt wrote:
 you want to have --with-mysql=/path/to and --disable-mysql as the two
 options ?

  Never mind, I forgot about --with-mysql=/path/to.

-- 
  Sebastian Bergmann
  http://sebastian-bergmann.de/ http://phpOpenTracker.de/

  Did I help you? Consider a gift: http://wishlist.sebastian-bergmann.de/

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Segfault in current HEAD

[Sebastian Bergmann]

Zeev Suraski wrote:
 This trace isn't meaningful...

  I know. How would I produce a more useful one?

-- 
  Sebastian Bergmann
  http://sebastian-bergmann.de/ http://phpOpenTracker.de/

  Did I help you? Consider a gift: http://wishlist.sebastian-bergmann.de/

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Segfault in current HEAD

[Zeev Suraski]

At 21:33 12/05/2002, Sebastian Bergmann wrote:
Zeev Suraski wrote:
  This trace isn't meaningful...

   I know. How would I produce a more useful one?

It's probably not possible - the best thing to do is to try to cut down the 
script to the smallest one that still demonstrates the crash.

Zeev


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Getting posted variable

[Stéphane Tirard]

Hello,

I would like to know how I can reach the posted variables , the one
included in the HTTP_POST_VARS array, outside the php page.

In fact I would like to do something like : MyPhpPbject
-getPostedVar();
The getPostedVars would be located in an included file.

instead of MyVar-var1 = HTTP_POST_VARS[field1] and so on.


Thank you


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DEV] Getting posted variable

[Pierre-Alain Joye]

Vous etes dans la mauvaise liste, inscrivez-vous sur
http://fr2.php.net/mailing-lists.php - General user list


a+

pa


 -Original Message-
 From: Stephane Tirard [mailto:[EMAIL PROTECTED]]
 Sent: lundi 13 mai 2002 00:22
 To: [EMAIL PROTECTED]
 Subject: [PHP-DEV] Getting posted variable
 
 
 Hello,
 
 I would like to know how I can reach the posted variables , the one
 included in the HTTP_POST_VARS array, outside the php page.
 
 In fact I would like to do something like : MyPhpPbject
 -getPostedVar();
 The getPostedVars would be located in an included file.
 
 instead of MyVar-var1 = HTTP_POST_VARS[field1] and so on.
 
 
 Thank you
 
 
 -- 
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, visit: http://www.php.net/unsub.php
 

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PATCH] IMAP module efficiency improvements

[Jon Parise]

On Fri, May 10, 2002 at 02:49:12PM -0400, Rob Siemborski wrote:

 Last summer I sent in some patches to speed up the IMAP module's dealing
 with large mailboxes.   At the time I noted that there were similar
 problems with other parts of the module, but I didn't have time to fix
 them then.
 
 Since I still see the problems in 4.2.0 (and I've suddenly had a need to
 improve performance with large #'s of mailboxes), I went ahead and
 finished the patch for folder lists.
 
 The changes to php_imap.c and php_imap.h are attached.  Basically the same
 things that I did to the message list last year.
 
 If someone could briefly look these over and commit them that would be
 very helpful.
 
Your changes look good, so I just committed them.  They probably won't
be included in the 4.2.1 release, however.

-- 
Jon Parise ([EMAIL PROTECTED])  .  Information Technology (2001)
http://www.csh.rit.edu/~jon/  :  Computer Science House Member

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

[Rasmus Lerdorf]

Not quite sure how to fix this one.  It's not like we can simply check
before we open the error_log file in general, because that might be set
by the server admin, it is only if the user tries to redefine where this
error logfile should be that we want to apply the safe-mode restriction.
Even if we try to do everything in the VCWD stuff in 4.3 we will have to
keep some sort of state that tells us who provided the error
logfile pathname

-Rasmus

On 12 May 2002 [EMAIL PROTECTED] wrote:

 From: [EMAIL PROTECTED]
 Operating system: Linux 2.4.18
 PHP version:  4.2.0
 PHP Bug Type: Scripting Engine problem
 Bug description:  error_log can be used to bypass safe_mode

 By doing ini_set('error_log', 'any_path); The user can append data to any
 file writeable by the webserver.
 --
 Edit bug report at http://bugs.php.net/?id=17168edit=1
 --
 Fixed in CVS:http://bugs.php.net/fix.php?id=17168r=fixedcvs
 Fixed in release:http://bugs.php.net/fix.php?id=17168r=alreadyfixed
 Need backtrace:  http://bugs.php.net/fix.php?id=17168r=needtrace
 Try newer version:   http://bugs.php.net/fix.php?id=17168r=oldversion
 Not developer issue: http://bugs.php.net/fix.php?id=17168r=support
 Expected behavior:   http://bugs.php.net/fix.php?id=17168r=notwrong
 Not enough info: http://bugs.php.net/fix.php?id=17168r=notenoughinfo
 Submitted twice: http://bugs.php.net/fix.php?id=17168r=submittedtwice
 register_globals:http://bugs.php.net/fix.php?id=17168r=globals



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Stig S. Bakken]

I'm +1 on removing safe mode in PHP 5, and encourage the use of
system-level sandboxes/prisons instead.

 - Stig

On Sat, 2002-05-11 at 17:39, Ilia A. wrote:
 In the process of writing an installer in PHP for one of my projects I've come 
 in contact with a number of servers running PHP with safe_mode enabled.
 
 As you can probably imagine the installer at first broke completely because of 
 safe_mode restrictions. Despite the restriction I was able to write php code 
 that was able to bypass safe_mode restriction in every single case, which 
 should tell you just how safe that option is.
 
 There are numerous ways to bypass it, rely on file system utils if they are in 
 the path, make the script copy itself and then write stuff as webserver, 
 install a small script into cgi-bin directory that will do the same thing 
 etc...
 The number of ways to bypass this feature are too numerous to list here.
 
 I should also point out that safe_mode implementation has numerous bugs in 
 every PHP version including the very latest CVS.
 
 It is my belief that safe_mode gives people who use false sense of security by 
 supposedly securing their webserver from their own users, which is 
 pointless since a dedicated user can cause plenty of damage by using 
 while(1) include $PHP_SELF; etc...
 In addition safe_mode makes the developer life extremely difficult since it 
 blocks the most common operations that ARE ALLOWED by the webserver's file 
 permissions, why does PHP take on the role that is not done in any other 
 programming language?
 It is nearly impossible to write a PHP file system code that would work with 
 safe_mode it is much easier to just release C/Perl/Python etc.. code that 
 will do the very same thing and run via a command line or the user's cgi-bin 
 directory.
 For example, if a user uploads test.php with their FTP and test.php creates a 
 file, it will no longer be able to read that file under safe_mode since the 
 uid of the script and the file it created differ.
 
 IMHO safe_mode should be removed from the php core, because it lulls web 
 server admins into false sense of security thus not taking the time to setup 
 proper file system permissions in addition to severely crippling the PHP's 
 file system functionality.
 
 If the safe_mode like functionality remains it should simply block all file 
 system and shell execution code since with it most of that code becomes 
 useless anyway.
 
 Regards,
 
 Ilia 
 
 -- 
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

[Zeev Suraski]

We can check it at the ini handler level.

We can either forbid modifying error_log from userspace (denying 
PHP_INI_USER),  deny it only in safe mode, or even apply the safe mode 
restriction at that level.

At 00:25 13/05/2002, Rasmus Lerdorf wrote:
Not quite sure how to fix this one.  It's not like we can simply check
before we open the error_log file in general, because that might be set
by the server admin, it is only if the user tries to redefine where this
error logfile should be that we want to apply the safe-mode restriction.
Even if we try to do everything in the VCWD stuff in 4.3 we will have to
keep some sort of state that tells us who provided the error
logfile pathname

-Rasmus

On 12 May 2002 [EMAIL PROTECTED] wrote:

  From: [EMAIL PROTECTED]
  Operating system: Linux 2.4.18
  PHP version:  4.2.0
  PHP Bug Type: Scripting Engine problem
  Bug description:  error_log can be used to bypass safe_mode
 
  By doing ini_set('error_log', 'any_path); The user can append data to any
  file writeable by the webserver.
  --
  Edit bug report at http://bugs.php.net/?id=17168edit=1
  --
  Fixed in CVS:http://bugs.php.net/fix.php?id=17168r=fixedcvs
  Fixed in release:http://bugs.php.net/fix.php?id=17168r=alreadyfixed
  Need backtrace:  http://bugs.php.net/fix.php?id=17168r=needtrace
  Try newer version:   http://bugs.php.net/fix.php?id=17168r=oldversion
  Not developer issue: http://bugs.php.net/fix.php?id=17168r=support
  Expected behavior:   http://bugs.php.net/fix.php?id=17168r=notwrong
  Not enough info: http://bugs.php.net/fix.php?id=17168r=notenoughinfo
  Submitted twice: http://bugs.php.net/fix.php?id=17168r=submittedtwice
  register_globals:http://bugs.php.net/fix.php?id=17168r=globals
 


--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

[Rasmus Lerdorf]

Right, but it would seem like we need a bit of a general purpose check on
ini_set() from userspace.  There are probably other directives that we may
not want to allow or at least want to check from safe_mode.  But yes,
that's the code I was looking at.  I think we should apply the safe-mode
restriction on the argument in the ini handler.

-R

On Mon, 13 May 2002, Zeev Suraski wrote:

 We can check it at the ini handler level.

 We can either forbid modifying error_log from userspace (denying
 PHP_INI_USER),  deny it only in safe mode, or even apply the safe mode
 restriction at that level.

 At 00:25 13/05/2002, Rasmus Lerdorf wrote:
 Not quite sure how to fix this one.  It's not like we can simply check
 before we open the error_log file in general, because that might be set
 by the server admin, it is only if the user tries to redefine where this
 error logfile should be that we want to apply the safe-mode restriction.
 Even if we try to do everything in the VCWD stuff in 4.3 we will have to
 keep some sort of state that tells us who provided the error
 logfile pathname
 
 -Rasmus
 
 On 12 May 2002 [EMAIL PROTECTED] wrote:
 
   From: [EMAIL PROTECTED]
   Operating system: Linux 2.4.18
   PHP version:  4.2.0
   PHP Bug Type: Scripting Engine problem
   Bug description:  error_log can be used to bypass safe_mode
  
   By doing ini_set('error_log', 'any_path); The user can append data to any
   file writeable by the webserver.
   --
   Edit bug report at http://bugs.php.net/?id=17168edit=1
   --
   Fixed in CVS:http://bugs.php.net/fix.php?id=17168r=fixedcvs
   Fixed in release:http://bugs.php.net/fix.php?id=17168r=alreadyfixed
   Need backtrace:  http://bugs.php.net/fix.php?id=17168r=needtrace
   Try newer version:   http://bugs.php.net/fix.php?id=17168r=oldversion
   Not developer issue: http://bugs.php.net/fix.php?id=17168r=support
   Expected behavior:   http://bugs.php.net/fix.php?id=17168r=notwrong
   Not enough info: http://bugs.php.net/fix.php?id=17168r=notenoughinfo
   Submitted twice: http://bugs.php.net/fix.php?id=17168r=submittedtwice
   register_globals:http://bugs.php.net/fix.php?id=17168r=globals
  
 
 
 --
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Rasmus Lerdorf]

But for really large shared hosts, I don't think that is feasible.  How
are you going set up 100,000 prisons on a server?

 I'm +1 on removing safe mode in PHP 5, and encourage the use of
 system-level sandboxes/prisons instead.

  - Stig

 On Sat, 2002-05-11 at 17:39, Ilia A. wrote:
  In the process of writing an installer in PHP for one of my projects I've come
  in contact with a number of servers running PHP with safe_mode enabled.
 
  As you can probably imagine the installer at first broke completely because of
  safe_mode restrictions. Despite the restriction I was able to write php code
  that was able to bypass safe_mode restriction in every single case, which
  should tell you just how safe that option is.
 
  There are numerous ways to bypass it, rely on file system utils if they are in
  the path, make the script copy itself and then write stuff as webserver,
  install a small script into cgi-bin directory that will do the same thing
  etc...
  The number of ways to bypass this feature are too numerous to list here.
 
  I should also point out that safe_mode implementation has numerous bugs in
  every PHP version including the very latest CVS.
 
  It is my belief that safe_mode gives people who use false sense of security by
  supposedly securing their webserver from their own users, which is
  pointless since a dedicated user can cause plenty of damage by using
  while(1) include $PHP_SELF; etc...
  In addition safe_mode makes the developer life extremely difficult since it
  blocks the most common operations that ARE ALLOWED by the webserver's file
  permissions, why does PHP take on the role that is not done in any other
  programming language?
  It is nearly impossible to write a PHP file system code that would work with
  safe_mode it is much easier to just release C/Perl/Python etc.. code that
  will do the very same thing and run via a command line or the user's cgi-bin
  directory.
  For example, if a user uploads test.php with their FTP and test.php creates a
  file, it will no longer be able to read that file under safe_mode since the
  uid of the script and the file it created differ.
 
  IMHO safe_mode should be removed from the php core, because it lulls web
  server admins into false sense of security thus not taking the time to setup
  proper file system permissions in addition to severely crippling the PHP's
  file system functionality.
 
  If the safe_mode like functionality remains it should simply block all file
  system and shell execution code since with it most of that code becomes
  useless anyway.
 
  Regards,
 
  Ilia
 
  --
  PHP Development Mailing List http://www.php.net/
  To unsubscribe, visit: http://www.php.net/unsub.php


 --
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Stig S. Bakken]

Well, as long as there is exec(2), there is a way.  How many users do
Lycos Europe provide sandboxed PHP for?

 - Stig

On Sun, 2002-05-12 at 23:37, Rasmus Lerdorf wrote:
 But for really large shared hosts, I don't think that is feasible.  How
 are you going set up 100,000 prisons on a server?
 
  I'm +1 on removing safe mode in PHP 5, and encourage the use of
  system-level sandboxes/prisons instead.
 
   - Stig
 
  On Sat, 2002-05-11 at 17:39, Ilia A. wrote:
   In the process of writing an installer in PHP for one of my projects I've come
   in contact with a number of servers running PHP with safe_mode enabled.
  
   As you can probably imagine the installer at first broke completely because of
   safe_mode restrictions. Despite the restriction I was able to write php code
   that was able to bypass safe_mode restriction in every single case, which
   should tell you just how safe that option is.
  
   There are numerous ways to bypass it, rely on file system utils if they are in
   the path, make the script copy itself and then write stuff as webserver,
   install a small script into cgi-bin directory that will do the same thing
   etc...
   The number of ways to bypass this feature are too numerous to list here.
  
   I should also point out that safe_mode implementation has numerous bugs in
   every PHP version including the very latest CVS.
  
   It is my belief that safe_mode gives people who use false sense of security by
   supposedly securing their webserver from their own users, which is
   pointless since a dedicated user can cause plenty of damage by using
   while(1) include $PHP_SELF; etc...
   In addition safe_mode makes the developer life extremely difficult since it
   blocks the most common operations that ARE ALLOWED by the webserver's file
   permissions, why does PHP take on the role that is not done in any other
   programming language?
   It is nearly impossible to write a PHP file system code that would work with
   safe_mode it is much easier to just release C/Perl/Python etc.. code that
   will do the very same thing and run via a command line or the user's cgi-bin
   directory.
   For example, if a user uploads test.php with their FTP and test.php creates a
   file, it will no longer be able to read that file under safe_mode since the
   uid of the script and the file it created differ.
  
   IMHO safe_mode should be removed from the php core, because it lulls web
   server admins into false sense of security thus not taking the time to setup
   proper file system permissions in addition to severely crippling the PHP's
   file system functionality.
  
   If the safe_mode like functionality remains it should simply block all file
   system and shell execution code since with it most of that code becomes
   useless anyway.
  
   Regards,
  
   Ilia
  
   --
   PHP Development Mailing List http://www.php.net/
   To unsubscribe, visit: http://www.php.net/unsub.php
 
 
  --
  PHP Development Mailing List http://www.php.net/
  To unsubscribe, visit: http://www.php.net/unsub.php
 


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Rasmus Lerdorf]

Ok, but dropping to CGI is kind of crappy.  Especially on a really busy
server.

On 12 May 2002, Stig S. Bakken wrote:

 Well, as long as there is exec(2), there is a way.  How many users do
 Lycos Europe provide sandboxed PHP for?

  - Stig

 On Sun, 2002-05-12 at 23:37, Rasmus Lerdorf wrote:
  But for really large shared hosts, I don't think that is feasible.  How
  are you going set up 100,000 prisons on a server?
 
   I'm +1 on removing safe mode in PHP 5, and encourage the use of
   system-level sandboxes/prisons instead.
  
- Stig
  
   On Sat, 2002-05-11 at 17:39, Ilia A. wrote:
In the process of writing an installer in PHP for one of my projects I've come
in contact with a number of servers running PHP with safe_mode enabled.
   
As you can probably imagine the installer at first broke completely because of
safe_mode restrictions. Despite the restriction I was able to write php code
that was able to bypass safe_mode restriction in every single case, which
should tell you just how safe that option is.
   
There are numerous ways to bypass it, rely on file system utils if they are in
the path, make the script copy itself and then write stuff as webserver,
install a small script into cgi-bin directory that will do the same thing
etc...
The number of ways to bypass this feature are too numerous to list here.
   
I should also point out that safe_mode implementation has numerous bugs in
every PHP version including the very latest CVS.
   
It is my belief that safe_mode gives people who use false sense of security by
supposedly securing their webserver from their own users, which is
pointless since a dedicated user can cause plenty of damage by using
while(1) include $PHP_SELF; etc...
In addition safe_mode makes the developer life extremely difficult since it
blocks the most common operations that ARE ALLOWED by the webserver's file
permissions, why does PHP take on the role that is not done in any other
programming language?
It is nearly impossible to write a PHP file system code that would work with
safe_mode it is much easier to just release C/Perl/Python etc.. code that
will do the very same thing and run via a command line or the user's cgi-bin
directory.
For example, if a user uploads test.php with their FTP and test.php creates a
file, it will no longer be able to read that file under safe_mode since the
uid of the script and the file it created differ.
   
IMHO safe_mode should be removed from the php core, because it lulls web
server admins into false sense of security thus not taking the time to setup
proper file system permissions in addition to severely crippling the PHP's
file system functionality.
   
If the safe_mode like functionality remains it should simply block all file
system and shell execution code since with it most of that code becomes
useless anyway.
   
Regards,
   
Ilia
   
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
  
  
   --
   PHP Development Mailing List http://www.php.net/
   To unsubscribe, visit: http://www.php.net/unsub.php
  



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Rasmus Lerdorf]

Instead of just giving up on the problem, perhaps we should go into full
attack mode.  I see a couple of choices (and there are probably others):

1. Review and push open_basedir as the PHP-based jail mechanism

2. Pitch in and get Apache 2's perchild mpm up to snuff.  There are
   all sorts of other issues associated with this option though, like
   needing to make sure all the stuff we link against is threadsafe.

3. Push FastCGI as the solution based on Shane's latest work on that front

4. Come up with step-by-step idiot-proof instructions for setting up Squid
   or other reverse proxies and running multiple instances of Apache
   listening on multiple ports and having requests directed appropriately
   by something like SquidGuard.

I don't mean we should do just one of these, we should perhaps push
forward on all fronts and come up with a document that describes the
plusses and minuses of each as it applies to large shared hosting
scenarios.

-Rasmus


On 12 May 2002, Stig S. Bakken wrote:

 I'm +1 on removing safe mode in PHP 5, and encourage the use of
 system-level sandboxes/prisons instead.

  - Stig

 On Sat, 2002-05-11 at 17:39, Ilia A. wrote:
  In the process of writing an installer in PHP for one of my projects I've come
  in contact with a number of servers running PHP with safe_mode enabled.
 
  As you can probably imagine the installer at first broke completely because of
  safe_mode restrictions. Despite the restriction I was able to write php code
  that was able to bypass safe_mode restriction in every single case, which
  should tell you just how safe that option is.
 
  There are numerous ways to bypass it, rely on file system utils if they are in
  the path, make the script copy itself and then write stuff as webserver,
  install a small script into cgi-bin directory that will do the same thing
  etc...
  The number of ways to bypass this feature are too numerous to list here.
 
  I should also point out that safe_mode implementation has numerous bugs in
  every PHP version including the very latest CVS.
 
  It is my belief that safe_mode gives people who use false sense of security by
  supposedly securing their webserver from their own users, which is
  pointless since a dedicated user can cause plenty of damage by using
  while(1) include $PHP_SELF; etc...
  In addition safe_mode makes the developer life extremely difficult since it
  blocks the most common operations that ARE ALLOWED by the webserver's file
  permissions, why does PHP take on the role that is not done in any other
  programming language?
  It is nearly impossible to write a PHP file system code that would work with
  safe_mode it is much easier to just release C/Perl/Python etc.. code that
  will do the very same thing and run via a command line or the user's cgi-bin
  directory.
  For example, if a user uploads test.php with their FTP and test.php creates a
  file, it will no longer be able to read that file under safe_mode since the
  uid of the script and the file it created differ.
 
  IMHO safe_mode should be removed from the php core, because it lulls web
  server admins into false sense of security thus not taking the time to setup
  proper file system permissions in addition to severely crippling the PHP's
  file system functionality.
 
  If the safe_mode like functionality remains it should simply block all file
  system and shell execution code since with it most of that code becomes
  useless anyway.
 
  Regards,
 
  Ilia
 
  --
  PHP Development Mailing List http://www.php.net/
  To unsubscribe, visit: http://www.php.net/unsub.php


 --
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Bug #17168: error_log can be used to bypass safe_mode

[Ilia A.]

Maybe creating an php.ini option like disable_ini where the admin can list 
the ini options that can be or cannot be set by users. Of course certain 
options like child_terminate should be disabled by default.
Btw the child_terminate which allows the user to kill the current apache 
child is setup in such a way that anyone can enable it. IMHO that is a very 
bad idea, a user should not have the decision over their ability to terminate 
apache children, this option should be for the admin alone.

Ilia

On May 12, 2002 05:36 pm, Rasmus Lerdorf wrote:
 Right, but it would seem like we need a bit of a general purpose check on
 ini_set() from userspace.  There are probably other directives that we may
 not want to allow or at least want to check from safe_mode.  But yes,
 that's the code I was looking at.  I think we should apply the safe-mode
 restriction on the argument in the ini handler.

 -R

 On Mon, 13 May 2002, Zeev Suraski wrote:
  We can check it at the ini handler level.
 
  We can either forbid modifying error_log from userspace (denying
  PHP_INI_USER),  deny it only in safe mode, or even apply the safe mode
  restriction at that level.
 
  At 00:25 13/05/2002, Rasmus Lerdorf wrote:
  Not quite sure how to fix this one.  It's not like we can simply check
  before we open the error_log file in general, because that might be set
  by the server admin, it is only if the user tries to redefine where this
  error logfile should be that we want to apply the safe-mode restriction.
  Even if we try to do everything in the VCWD stuff in 4.3 we will have to
  keep some sort of state that tells us who provided the error
  logfile pathname
  
  -Rasmus
  
  On 12 May 2002 [EMAIL PROTECTED] wrote:
From: [EMAIL PROTECTED]
Operating system: Linux 2.4.18
PHP version:  4.2.0
PHP Bug Type: Scripting Engine problem
Bug description:  error_log can be used to bypass safe_mode
   
By doing ini_set('error_log', 'any_path); The user can append data to
any file writeable by the webserver.
--
Edit bug report at http://bugs.php.net/?id=17168edit=1
--
Fixed in CVS:http://bugs.php.net/fix.php?id=17168r=fixedcvs
Fixed in release:   
http://bugs.php.net/fix.php?id=17168r=alreadyfixed Need backtrace:  
   http://bugs.php.net/fix.php?id=17168r=needtrace Try newer
version:   http://bugs.php.net/fix.php?id=17168r=oldversion Not
developer issue: http://bugs.php.net/fix.php?id=17168r=support
Expected behavior:   http://bugs.php.net/fix.php?id=17168r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=17168r=notenoughinfo Submitted twice:
http://bugs.php.net/fix.php?id=17168r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=17168r=globals
  
  --
  PHP Development Mailing List http://www.php.net/
  To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Ilia A.]

It may not be the fastest solution, but certainly a secure one. It is up to 
each admin to decide whether they want speed or security, I am sure the 
security minded ISPs probably would prefer a small performance loss over 
security  integrity of their customer's data.

Ilia

On May 12, 2002 05:42 pm, Rasmus Lerdorf wrote:
 Ok, but dropping to CGI is kind of crappy.  Especially on a really busy
 server.

 On 12 May 2002, Stig S. Bakken wrote:
  Well, as long as there is exec(2), there is a way.  How many users do
  Lycos Europe provide sandboxed PHP for?
 
   - Stig
 
  On Sun, 2002-05-12 at 23:37, Rasmus Lerdorf wrote:
   But for really large shared hosts, I don't think that is feasible.  How
   are you going set up 100,000 prisons on a server?
  
I'm +1 on removing safe mode in PHP 5, and encourage the use of
system-level sandboxes/prisons instead.
   
 - Stig
   
On Sat, 2002-05-11 at 17:39, Ilia A. wrote:
 In the process of writing an installer in PHP for one of my
 projects I've come in contact with a number of servers running PHP
 with safe_mode enabled.

 As you can probably imagine the installer at first broke completely
 because of safe_mode restrictions. Despite the restriction I was
 able to write php code that was able to bypass safe_mode
 restriction in every single case, which should tell you just how
 safe that option is.

 There are numerous ways to bypass it, rely on file system utils if
 they are in the path, make the script copy itself and then write
 stuff as webserver, install a small script into cgi-bin directory
 that will do the same thing etc...
 The number of ways to bypass this feature are too numerous to list
 here.

 I should also point out that safe_mode implementation has numerous
 bugs in every PHP version including the very latest CVS.

 It is my belief that safe_mode gives people who use false sense of
 security by supposedly securing their webserver from their own
 users, which is pointless since a dedicated user can cause plenty
 of damage by using while(1) include $PHP_SELF; etc...
 In addition safe_mode makes the developer life extremely difficult
 since it blocks the most common operations that ARE ALLOWED by the
 webserver's file permissions, why does PHP take on the role that is
 not done in any other programming language?
 It is nearly impossible to write a PHP file system code that would
 work with safe_mode it is much easier to just release C/Perl/Python
 etc.. code that will do the very same thing and run via a command
 line or the user's cgi-bin directory.
 For example, if a user uploads test.php with their FTP and test.php
 creates a file, it will no longer be able to read that file under
 safe_mode since the uid of the script and the file it created
 differ.

 IMHO safe_mode should be removed from the php core, because it
 lulls web server admins into false sense of security thus not
 taking the time to setup proper file system permissions in addition
 to severely crippling the PHP's file system functionality.

 If the safe_mode like functionality remains it should simply block
 all file system and shell execution code since with it most of that
 code becomes useless anyway.

 Regards,

 Ilia

 --
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, visit: http://www.php.net/unsub.php
   
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Session question/bug?

[brad lafountain]

I was looking at the functionality of session_unset. Currently if register
globals is on it will get rid of all variables and it also clears out
PS(http_session_vars).. should it also get rid of PS(vars)?


 I have a script that changes the session id a few times thruought the live of
the script. The problem is that it keeps the variables in PS(vars) so when i
call session_encode(), (which reads PS(vars)) I get some old session vars..


ex..

?
session_id(1234);
session_start();
$_SESSION['test']++;
var_dump(session_encode());
session_write_close();
session_unset();

session_id(12345);
session_start();
var_dump(session_encode());
// this will have data for test

?



After looking thru the session functions i don't see any of them that clear out
PS(vars).



 - Brad 

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Aaron Bannert]

On Sun, May 12, 2002 at 02:52:24PM -0700, Rasmus Lerdorf wrote:
...
 2. Pitch in and get Apache 2's perchild mpm up to snuff.  There are
all sorts of other issues associated with this option though, like
needing to make sure all the stuff we link against is threadsafe.

Actually this isn't as bad as it sounds. I've been doing some of the
work necessary to make perchild portable lately. And as for making it
threadsafe/reentrant, I think those kinds of problems are going to show
up with the worker MPM as well (which seems to be working fairly well
with PHP at the moment).

-aaron

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Shane Caraveo]

FastCGI can provide the security needed in shared environments, without 
loosing all the performance.  I don't beleive it is fast as direct 
server plugins, but there are other benefits...such as running PHP 
single threaded to avoid thread issues.  It would be nice to see it 
become a standard compile option.  One thing that does need to happen is 
a multithreaded fastcgi option for PHP.  I've had that in the back of my 
head but haven't gotten around to it yet.
Shane

Rasmus Lerdorf wrote:
 Instead of just giving up on the problem, perhaps we should go into full
 attack mode.  I see a couple of choices (and there are probably others):
 
 1. Review and push open_basedir as the PHP-based jail mechanism
 
 2. Pitch in and get Apache 2's perchild mpm up to snuff.  There are
all sorts of other issues associated with this option though, like
needing to make sure all the stuff we link against is threadsafe.
 
 3. Push FastCGI as the solution based on Shane's latest work on that front
 
 4. Come up with step-by-step idiot-proof instructions for setting up Squid
or other reverse proxies and running multiple instances of Apache
listening on multiple ports and having requests directed appropriately
by something like SquidGuard.
 
 I don't mean we should do just one of these, we should perhaps push
 forward on all fronts and come up with a document that describes the
 plusses and minuses of each as it applies to large shared hosting
 scenarios.
 
 -Rasmus
 
 
 On 12 May 2002, Stig S. Bakken wrote:
 
 
I'm +1 on removing safe mode in PHP 5, and encourage the use of
system-level sandboxes/prisons instead.

 - Stig

On Sat, 2002-05-11 at 17:39, Ilia A. wrote:

In the process of writing an installer in PHP for one of my projects I've come
in contact with a number of servers running PHP with safe_mode enabled.

As you can probably imagine the installer at first broke completely because of
safe_mode restrictions. Despite the restriction I was able to write php code
that was able to bypass safe_mode restriction in every single case, which
should tell you just how safe that option is.

There are numerous ways to bypass it, rely on file system utils if they are in
the path, make the script copy itself and then write stuff as webserver,
install a small script into cgi-bin directory that will do the same thing
etc...
The number of ways to bypass this feature are too numerous to list here.

I should also point out that safe_mode implementation has numerous bugs in
every PHP version including the very latest CVS.

It is my belief that safe_mode gives people who use false sense of security by
supposedly securing their webserver from their own users, which is
pointless since a dedicated user can cause plenty of damage by using
while(1) include $PHP_SELF; etc...
In addition safe_mode makes the developer life extremely difficult since it
blocks the most common operations that ARE ALLOWED by the webserver's file
permissions, why does PHP take on the role that is not done in any other
programming language?
It is nearly impossible to write a PHP file system code that would work with
safe_mode it is much easier to just release C/Perl/Python etc.. code that
will do the very same thing and run via a command line or the user's cgi-bin
directory.
For example, if a user uploads test.php with their FTP and test.php creates a
file, it will no longer be able to read that file under safe_mode since the
uid of the script and the file it created differ.

IMHO safe_mode should be removed from the php core, because it lulls web
server admins into false sense of security thus not taking the time to setup
proper file system permissions in addition to severely crippling the PHP's
file system functionality.

If the safe_mode like functionality remains it should simply block all file
system and shell execution code since with it most of that code becomes
useless anyway.

Regards,

Ilia

--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

 
 
 




-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Rasmus Lerdorf]

  2. Pitch in and get Apache 2's perchild mpm up to snuff.  There are
 all sorts of other issues associated with this option though, like
 needing to make sure all the stuff we link against is threadsafe.

 Actually this isn't as bad as it sounds. I've been doing some of the
 work necessary to make perchild portable lately. And as for making it
 threadsafe/reentrant, I think those kinds of problems are going to show
 up with the worker MPM as well (which seems to be working fairly well
 with PHP at the moment).

True, but the perchild mpm is really rough.  I was trying it yesterday and
it looks like it needs some serious work.  We also have to realize that
the target market here is the big-ass ISP and they are traditionally slow
to upgrade so it will be a good long while before they are going to go
anywhere near Apache2+perchild.  We still need to work towards getting
this stable and useful, but it is not the solution for 6-months from now
in my opinion.  More like 18-months out.

-Rasmus


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PATCH - improvements for imap_headerinfo() (fwd)

[Jon Parise]

On Mon, May 13, 2002 at 12:35:12AM +0300, Jani Taskinen wrote:

Reviewed and committed.

- Jon

 
Can you check this patch too? :)
 
--Jani

 -- Forwarded message --
 Date: 24 Apr 2002 15:02:45 -0400
 From: Adam Kauffman [EMAIL PROTECTED]
 To: Jani Taskinen [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: [PHP-DEV] PATCH - improvements for imap_headerinfo()
 
 These changes don't (although I realize you shouldn't just take my word
 for it) break the functionality of imap_headerinfo().  It just is a
 streamlined way of doing it.
 
 The function as it stands does a mail_fetchheader_full(), takes the
 result of that, and turns it into an envelope object.  Afterwards, it
 has to free that object.  The c-client provides a way to get just the
 envelope with mail_fetchenvelope().  It is beneficial to use this for a
 few reasons:
 
 1. As you can see it makes the code much simpler
 2. It is faster.  For each message you don't have to fetch full headers
 and turn them into an envelope object.  You can simply just get the
 envelope object.
 3. Simpler for the IMAP server.  Instead of making it do a BODY.PEEK, it
 just has to fetch the envelope (which some IMAP servers cache).
 
 Adam
 
 On Wed, 2002-04-24 at 14:33, Jani Taskinen wrote:
  
  What was this patch supposed to do again?
  At first glance it looks like it's modifying the 
  imap_headerinfo() function quite dramatically and 
  propably breaks it too..
  
  Have you compared the output of this function without
  this patch and with it and does it return the same kind
  of object? (and send patches as attachements..)
  
  --Jani



-- 
Jon Parise ([EMAIL PROTECTED])  .  Information Technology (2001)
http://www.csh.rit.edu/~jon/  :  Computer Science House Member

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Jason Greene]

 while(1) fopen(rand(), w);
 
 After a few seconds depending on system speed system will run out of file 
 pointers. I am sure you can see how that would be BAD.

You are _extremely_ incorrect. The previously mentioned code would open
1 file descriptor repeatedly until the script hit max execution time.

This occurs because the garbage collector closes the unused file
descriptor with every iteration.

You could gain the desired effect of abusing file descriptors by using
the following code

while (1) $vars[]=fopen(rand(), w);

However, quite frankly, this is a lame attack, because all it will do is
consume file descriptors for only the CHILD process the script is
running in. The script will then hit the fd limit of the child process
(most systems around 255 is the default) This will not hurt the process,
because all needed file descriptors were opened before the script was
executed. The beauty of this is that the kernel will the reject all
future calls beyond the limit, which halts i/o usage, and causes the
process to consume more user time, which cause the process to hit max
execution limit.

The argument you make to remove safe mode because it is not perfect is
unfounded. By the same argument you could say we shouldn't use locks on
our doors, because hey they can be picked.

-Jason





 Ilia
 
 -- 
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, visit: http://www.php.net/unsub.php
 



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Ilia A.]

 However, quite frankly, this is a lame attack, because all it will do is
 consume file descriptors for only the CHILD process the script is
 running in. The script will then hit the fd limit of the child process
 (most systems around 255 is the default) This will not hurt the process,
 because all needed file descriptors were opened before the script was
 executed. The beauty of this is that the kernel will the reject all
 future calls beyond the limit, which halts i/o usage, and causes the
 process to consume more user time, which cause the process to hit max
 execution limit. 

While the file description attack may be lame as you call it and won't cause 
excessive harm. There are many other ways that 2-3 lines a webserver can be 
brought down to its knees. If you want I can post code for A LOT more potent 
attacks that will disable the webserver. I simply choose not to because I 
believe that disclosing such information will do more harm then good.
Even the lame file descriptor attack can be made very dangerous by adding of 
1 line of code.


 The argument you make to remove safe mode because it is not perfect is
 unfounded. By the same argument you could say we shouldn't use locks on
 our doors, because hey they can be picked.


Safe mode is not only imperfect it does not even work properly. In the last 
day and a half I've showed 5 bugs that allow it be bypassed, simply take a 
look at the latest safe_mode bugs. Some of those were fixed other were not as 
yet. To continue with your lock analogy, you do not protect your house with a 
broken lock, because beyond cosmetic value it does absolutely nothing.


Ilia

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Jason Greene]

On Sun, 2002-05-12 at 22:46, Ilia A. wrote:
  However, quite frankly, this is a lame attack, because all it will do is
  consume file descriptors for only the CHILD process the script is
  running in. The script will then hit the fd limit of the child process
  (most systems around 255 is the default) This will not hurt the process,
  because all needed file descriptors were opened before the script was
  executed. The beauty of this is that the kernel will the reject all
  future calls beyond the limit, which halts i/o usage, and causes the
  process to consume more user time, which cause the process to hit max
  execution limit. 
 
 While the file description attack may be lame as you call it and won't cause 
 excessive harm. There are many other ways that 2-3 lines a webserver can be 
 brought down to its knees. If you want I can post code for A LOT more potent 
 attacks that will disable the webserver. I simply choose not to because I 
 believe that disclosing such information will do more harm then good.
 Even the lame file descriptor attack can be made very dangerous by adding of 
 1 line of code.
 
Really, what is that line? I would take a bet that it probably has
nothing to do with safe mode, and would work regardless of it being in
the language.. I will also take a bet that there is another security
measure in php that can be used against it.

  The argument you make to remove safe mode because it is not perfect is
  unfounded. By the same argument you could say we shouldn't use locks on
  our doors, because hey they can be picked.
 
 
 Safe mode is not only imperfect it does not even work properly. In the last 
 day and a half I've showed 5 bugs that allow it be bypassed, simply take a 
 look at the latest safe_mode bugs.

Five, I only saw one. Regardless they can and should be fixed.
 Some of those were fixed other were not as 
 yet. To continue with your lock analogy, you do not protect your house with a 
 broken lock, because beyond cosmetic value it does absolutely nothing.


If the lock is broken, you fix it, you don't get rid of the lock
altogether 
 
 Ilia

-Jason



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Ilia A.]

 Really, what is that line? 

sleep(1000);

If you insist on being creative you can use file locking or sockets to get the 
process in to un-interuptible sleep.

 I would take a bet that it probably has
 nothing to do with safe mode, and would work regardless of it being in
 the language..

I am not saying this particular problem is due to safe_mode, which only 
theoreticaly prevents people from viewing/modifying files they do not own. 
I say theoretically because in reality a bugs in safe_mode can be used to 
bypass this limitation or simply write code in another programming language 
to do it. However, safe mode implies safety, which in reality it DOES NOT 
offer, of course if the defenition of the word safe has changed, please let 
me know.

 I will also take a bet that there is another security
 measure in php that can be used against it. 


Don't bet on it, you'll loose.

   The argument you make to remove safe mode because it is not perfect is
   unfounded. By the same argument you could say we shouldn't use locks on
   our doors, because hey they can be picked.
 
  Safe mode is not only imperfect it does not even work properly. In the
  last day and a half I've showed 5 bugs that allow it be bypassed, simply
  take a look at the latest safe_mode bugs.

 Five, I only saw one. Regardless they can and should be fixed.

Check again:

Bug report #17168-69
Bug report #17155-57


  Some of those were fixed other were not as
  yet. To continue with your lock analogy, you do not protect your house
  with a broken lock, because beyond cosmetic value it does absolutely
  nothing.

 If the lock is broken, you fix it, you don't get rid of the lock
 altogether

If you've fixed the same lock a dosen times and it still breaks it is probably 
smarter to get rid off it and get a new one.

Ilia



-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Jason Greene]

On Sun, 2002-05-12 at 23:38, Ilia A. wrote:
  Really, what is that line? 
 
 sleep(1000);
 
 If you insist on being creative you can use file locking or sockets to get the 
 process in to un-interuptible sleep.
 
  I would take a bet that it probably has
  nothing to do with safe mode, and would work regardless of it being in
  the language..
 
 I am not saying this particular problem is due to safe_mode, which only 
 theoreticaly prevents people from viewing/modifying files they do not own. 
 I say theoretically because in reality a bugs in safe_mode can be used to 
 bypass this limitation or simply write code in another programming language 
 to do it. However, safe mode implies safety, which in reality it DOES NOT 
 offer, of course if the defenition of the word safe has changed, please let 
 me know.

Ok now you are changing your argument. If you say it is inappropriately
named, I will agree. However, the functionality of extra uid checks is a
good measure

The thing we have to hope for is that the admin is smart enough to
realize their is no such thing as perfect security


  I will also take bet that there is another security
  measure in php that can be used against it. 
 
 
 Don't bet on it, you'll loose.

disable_functions = sleep

 
The argument you make to remove safe mode because it is not perfect is
unfounded. By the same argument you could say we shouldn't use locks on
our doors, because hey they can be picked.
  
   Safe mode is not only imperfect it does not even work properly. In the
   last day and a half I've showed 5 bugs that allow it be bypassed, simply
   take a look at the latest safe_mode bugs.
 
  Five, I only saw one. Regardless they can and should be fixed.
 
 Check again:
 
 Bug report #17168-69
 Bug report #17155-57

All of those regarding safe mode are fixed now.
 
 
   Some of those were fixed other were not as
   yet. To continue with your lock analogy, you do not protect your house
   with a broken lock, because beyond cosmetic value it does absolutely
   nothing.
 
  If the lock is broken, you fix it, you don't get rid of the lock
  altogether
 
 If you've fixed the same lock a dosen times and it still breaks it is probably 
 smarter to get rid off it and get a new one.
 
 Ilia

It depends on why the lock is broken, you have been suggesting this
whole time that safe mode is a DESIGN flaw. However, your reasoning is
only BUILD flaws. I have yet to hear a single reason as to why the
concept of extra uid, checks of files is a bad thing.

The fact of the matter, is that it is YOU who is ultimately responsible
for your systems security. When you allow thousands of users to share
the same system, and all execute arbitrary code on that system, there is
always the possibility of problems. You can not rely on PHP itself
solving all of your webhosting systems security problems. By the same
argument that you make to get rid of safe mode, we could tell you to not
use a shared environment, and use dedicated servers.

There are problems here and you can be a bit more constructive, and send
patches, offer new security techniques, report bugs. Exaggerating and
cursing safe mode does nothing but waste time.


-Jason


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] [PATCH] Fix bundle compilation on Darwin for Apache 2.0

[Justin Erenkrantz]

This patch adds support for Darwin bundles for the apache2filter
module.  I brought up extending apxs to allow building self-contained
libraries on the dev@httpd lists to no answer.  Since Darwin is a
special case that requires self-contained libraries (unless using
a flat namespace), I don't think it's necessary to add code to apxs
to always build self-contained libraries - we just need to handle
Darwin specially.

This patch does two things that should only be Darwin specific:
- Call apr-config and apu-config to determine the link information
for the requisite libraries so that they can be self-contained.
- Modifies the libphp4.bundle target to allow linking with libtool.
Since ap{ru}-config *may* print out information requiring libtool
to link (i.e. libexpat.la as a dependency), this makes more sense
to me.

While I was at WWDC last week, I talked to the linker developer
and we tossed around some ideas for handling this bundling problem.
I don't forsee any solution coming in the Jaguar timeframe, but
perhaps something later on.  If you are interested in more details,
drop me a line as I don't think the entire PHP community cares
about Darwin.  =)

Please let me know if you have any questions or comments.  I have
tested this on my platform and it works.  -- justin

Index: Makefile.global
===
RCS file: /repository/php4/Makefile.global,v
retrieving revision 1.11
diff -u -r1.11 Makefile.global
--- Makefile.global 28 Apr 2002 03:27:43 -  1.11
+++ Makefile.global 12 May 2002 23:01:21 -
 -15,7 +15,7 
$(LIBTOOL) --mode=link $(CC) $(COMMON_FLAGS) $(CFLAGS) $(EXTRA_CFLAGS) -rpath 
$(phptempdir) $(EXTRA_LDFLAGS) $(LDFLAGS) $(PHP_RPATHS) $(PHP_GLOBAL_OBJS) 
$(PHP_SAPI_OBJS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $
 
 libs/libphp4.bundle: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS)
-   $(CC) $(MH_BUNDLE_FLAGS) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) 
$(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(EXTRA_LIBS) 
$(ZEND_EXTRA_LIBS) -o $  cp $ libs/libphp4.so
+   $(LIBTOOL) --mode=link $(CC) $(MH_BUNDLE_FLAGS) $(CFLAGS_CLEAN) 
+$(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) 
+$(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $  cp $ libs/libphp4.so
 
 php: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS)
$(LIBTOOL) --mode=link $(CC) -export-dynamic $(COMMON_FLAGS) $(CFLAGS_CLEAN) 
$(EXTRA_CFLAGS) $(EXTRA_LDFLAGS) $(LDFLAGS) $(PHP_RPATHS) $(PHP_GLOBAL_OBJS) 
$(PHP_SAPI_OBJS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $
Index: sapi/apache2filter/config.m4
===
RCS file: /repository/php4/sapi/apache2filter/config.m4,v
retrieving revision 1.15
diff -u -r1.15 config.m4
--- sapi/apache2filter/config.m45 May 2002 09:52:39 -   1.15
+++ sapi/apache2filter/config.m412 May 2002 23:01:33 -
 -57,7 +57,18 
 INSTALL_IT=$APXS -i -a -n php4 $SAPI_LIBTOOL 
 ;;
   *darwin*)
-MH_BUNDLE_FLAGS=-bundle -bundle_loader $APXS_HTTPD
+dnl When using bundles on Darwin, we must resolve all symbols.  However,
+dnl the linker does not recursively look at the bundle loader and
+dnl pull in its dependencies.  Therefore, we must pull in the APR
+dnl and APR-util libraries.
+APXS_BINDIR=`$APXS -q BINDIR`
+if test -f $APXS_BINDIR/apr-config; then
+MH_BUNDLE_FLAGS=`$APXS_BINDIR/apr-config --ldflags --link-ld --libs`
+fi
+if test -f $APXS_BINDIR/apu-config; then
+MH_BUNDLE_FLAGS=`$APXS_BINDIR/apu-config --ldflags --link-ld --libs` 
+$MH_BUNDLE_FLAGS
+fi
+MH_BUNDLE_FLAGS=-bundle -bundle_loader $APXS_HTTPD $MH_BUNDLE_FLAGS
 PHP_SUBST(MH_BUNDLE_FLAGS)
 PHP_SELECT_SAPI(apache2filter, bundle, sapi_apache2.c apache_config.c 
php_functions.c)
 SAPI_SHARED=libs/libphp4.so

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] [PATCH] Prefer glibtool over libtool (resend)

[Justin Erenkrantz]

(This is a resend of an earlier patch.)

It switches to preferring glibtool over libtool so that we can
correctly run buildconf on Darwin.  Since Darwin comes with a libtool
but not the GNU libtool, we should try glibtool first.  Since libtool
exists, we don't look for glibtool and then when we try to verify
$libtool is a GNU libtool, we fail because $libtool isn't a GNU
libtool.

Please let me know if you have any questions or comments.  -- justin

Index: build/buildcheck.sh
===
RCS file: /repository/php4/build/buildcheck.sh,v
retrieving revision 1.16
diff -u -r1.16 buildcheck.sh
--- build/buildcheck.sh 4 Mar 2002 08:28:57 -   1.16
+++ build/buildcheck.sh 5 May 2002 08:10:10 -
 -60,8 +60,8 
 fi
 
 # libtool 1.4 or newer
-libtool=`which libtool`
-if test ! -f $libtool; then libtool=`which glibtool`; fi
+libtool=`which glibtool`
+if test ! -f $libtool; then libtool=`which libtool`; fi
 lt_pversion=`$libtool --version 2/dev/null|sed -n -e 's/^[^0-9]*//' -e 1's/[- 
].*//p'`
 if test $lt_pversion = ; then
 echo buildconf: libtool not found.

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Ilia A.]

 disable_functions = sleep

Ah but you forgot usleep, and flock() and socket_set_limit etc...
Soon enough you'll disable every function.

And when you do, I'll still be able to deadlock a PHP process by making it 
excute a query on a locked SQL table, thus end up waiting forever for the 
lock to be released. So, you'll need to disable all database functions from 
your PHP.



 The argument you make to remove safe mode because it is not perfect
 is unfounded. By the same argument you could say we shouldn't use
 locks on our doors, because hey they can be picked.
   
Safe mode is not only imperfect it does not even work properly. In
the last day and a half I've showed 5 bugs that allow it be bypassed,
simply take a look at the latest safe_mode bugs.
  
   Five, I only saw one. Regardless they can and should be fixed.
 
  Check again:
 
  Bug report #17168-69
  Bug report #17155-57

 All of those regarding safe mode are fixed now.

Really, you don't say... bug reports #17168-69 are still open at the time of 
this message being written. And when they are closed, don't worry I'll have a 
few more posted tommorow for your enjoyment...

 It depends on why the lock is broken, you have been suggesting this
 whole time that safe mode is a DESIGN flaw. However, your reasoning is
 only BUILD flaws. I have yet to hear a single reason as to why the
 concept of extra uid, checks of files is a bad thing.

It is not PHPs job as a scripting/programming language to do security. 
security should/must be done at the OS and web server level. Checking uid is 
STUPID, the simplest example, is that if you upload a php script and it 
creates a file you can no longer read or write to that file even though you 
have file permissions to do so. 
File system permissions exist for a reason, use them.

If you have sensetive data, like credit card information and you are not using 
a dedicated server to store that data then do be surprised to find your data 
in someone elses hands. In a shared enviroment especially where 
programming/scripting languages are avaliable it is merely a matter of time 
before someone takes advantage of some security hole/oversight and grabs the 
hold of your data.

 There are problems here and you can be a bit more constructive, and send
 patches, offer new security techniques, report bugs. Exaggerating and
 cursing safe mode does nothing but waste time.

I am clearly demonstrating the problem and if you actually payed attention 
instead of trying to pretend this problem did not exist, reporting bugs about 
it. I'd gladly offer a patch that will get rid off safe_mode for the core php 
tree if developers are willing to add it to the CVS :)
Safe mode wasteful and pointless this is no exageratio,n it makes development 
in the safe enviroment pointlessly difficult and offers no real safety.

Ilia

-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PATCH] Prefer glibtool over libtool (resend)

[Marko Karppinen]

 (This is a resend of an earlier patch.)
 
 It switches to preferring glibtool over libtool so that we can
 correctly run buildconf on Darwin.  Since Darwin comes with a libtool
 but not the GNU libtool, we should try glibtool first.  Since libtool
 exists, we don't look for glibtool and then when we try to verify
 $libtool is a GNU libtool, we fail because $libtool isn't a GNU
 libtool.

Thanks Justin!

The thing is, we don't actually use glibtool on the platform at all.
Not with the Apache SAPIs anyway. I'll take a look and see how difficult
it would be to get rid of it completely in these checks and elsewhere.
Until I do, however, your patch is in.

--Marko


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Safe Mode

[Jason Greene]

On Mon, 2002-05-13 at 00:41, Ilia A. wrote:
  disable_functions = sleep
 
 Ah but you forgot usleep, and flock() and socket_set_limit etc...
 Soon enough you'll disable every function.

Not likely, and I wouldn't disable every single function. You complained
about the ability, I provided you with the way that YOU can disable it.
You have to ask yourself why your user would need to be able to call
sleep

 And when you do, I'll still be able to deadlock a PHP process by making it 
 excute a query on a locked SQL table, thus end up waiting forever for the 
 lock to be 
eleased. So, you'll need to disable all database functions from 
 your PHP.
 

Now you are really starting to stretch it. I am sure the ratio of
customers that have db backends are much smaller than general webhosting
customers

In all of these scenarios, the webserver itself would just spawn another
process, and the os would page the other one because it is not in use,
and then eventually the webserver would log the problem.

If you factor that in with a shared environment with multiple webservers
and a load balance, your risk is pretty low. Even if someone did do
something like that to kill all of your webservers, you would easily be
able to find out who did it, and fix the abuser.
 
  The argument you make to remove safe mode because it is not perfect
  is unfounded. By the same argument you could say we shouldn't use
  locks on our doors, because hey they can be picked.

 Safe mode is not only imperfect it does not even work properly. In
 the last day and a half I've showed 5 bugs that allow it be bypassed,
 simply take a look at the latest safe_mode bugs.
   
Five, I only saw one. Regardless they can and should be fixed.
  
   Check again:
  
   Bug report #17168-69
   Bug report #17155-57
 
  All of those regarding safe mode are fixed now.
 
 Really, you don't say... bug reports #17168-69 are still open at the time of 
 this message being written. And when they are closed, don't worry I'll have a 
 few more posted tommorow for your enjoyment...
 
  It depends on why the lock is broken, you have been suggesting this
  whole time that safe mode is a DESIGN flaw. However, your reasoning is
  only BUILD flaws. I have yet to hear a single reason as to why the
  concept of extra uid, checks of files is a bad thing.
 
 It is not PHPs job as a scripting/programming language to do security. 
 security should/must be done at the OS and web server level. Checking uid is 
 STUPID, the simplest example, is that if you upload a php script and it 
 creates a file you can no longer read or write to that file even though you 
 have file permissions to do so. 
 File system permissions exist for a reason, use them.

how are you planning on protecting your passwd file then?

 If you have sensetive data, like credit card information and you are not using 
 a dedicated server to store that data then do be surprised to find your data 
 in someone elses hands. In a shared enviroment especially where 
 programming/scripting languages are avaliable it is merely a matter of time 
 before someone takes advantage of some security hole/oversight and grabs the 
 hold of your data.


So then you are agreeing : )

  There are problems here and you can be a bit more constructive, and send
  patches, offer new security techniques, report bugs. Exaggerating and
  cursing safe mode does nothing but waste time.


 I am clearly demonstrating the problem and if you actually payed attention 
 instead of trying to pretend this problem did not exist,

I am not, I am merely disagreeing that safe mode should be removed.  I
mean god man, if you hate safe mode so much turn it off. There are
options you know, but just because you don't like it does not mean that
everyone should not be able to use it.

 reporting bugs about 
 it. I'd gladly offer a patch that will get rid off safe_mode for the core php 
 tree if developers are willing to add it to the CVS :)

Or you could try something more useful, like fixing a bug in safe mode,
adding a new security feature, etc. etc. However, I suppose it is too
difficult to come up with a constructive solution.
 Safe mode wasteful and pointless this is no exageratio,n it makes development 
 in the safe enviroment pointlessly difficult and offers no real safety.
 
 Ilia
Hmm, but you just said that a shared webhosting enviroment, by nature,
has no real safety.

Pointlesly difficult.
then safe mode must be doing something





-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PATCH] Fix bundle compilation on Darwin for Apache2.0

[Marko Karppinen]

 This patch does two things that should only be Darwin specific:
 - Call apr-config and apu-config to determine the link information
 for the requisite libraries so that they can be self-contained.
 - Modifies the libphp4.bundle target to allow linking with libtool.
 Since ap{ru}-config *may* print out information requiring libtool
 to link (i.e. libexpat.la as a dependency), this makes more sense
 to me.

I have been quite happy to have finally got rid of libtool on our links,
however! I'd much prefer committing the rest of your patch and waiting for
the first bug report about libtool-specific dependencies.

The problem is that while linking with libtool might work with the
Apple-supplied glibtool, it doesn't with a fresh GNU 1.4.x one. This means
that running buildconf (with your other patch) would become mandatory on
Darwin, even for end users. Me not like.

Again, I throw the ball in your court -- it seems entirely possible to me to
get the *real* dependencies figured out when building ap{ru}-config.

--Marko


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php