[Solar-talk] solar requirements
Paul M Jones
pmjones at ciaweb.net
Mon Mar 12 12:28:46 PDT 2007
On Mar 12, 2007, at 2:27 PM, Paul M Jones wrote:
>
> On Mar 12, 2007, at 1:50 PM, Clay Loveless wrote:
>
>>
>> On Mar 12, 2007, at 11:40 AM, Paul M Jones wrote:
>>
>>> Right now, the only "hard" requirement on 5.2 is DataFilter, and
>>> even
>>> that is only because it uses ext/filter for some (not all) of its
>>> internals. I'd be very happy to see code that emulates the ext/
>>> filter behavior for those particular internal portions, which would
>>> make only 5.1.x the requirement.
>>
>> ... especially given the latest press that ext/filter is getting over
>> at MOPB.
>>
>> http://www.php-security.org/
>>
>> Last 3 bugs have been ext/filter related.
>
> This one looks pretty severe:
>
> <http://www.php-security.org/MOPB/MOPB-19-2007.html>
>
> Makes me wonder how safe it is to use *anything* from Filter, if they
> have whitespace-trimming problems.
Hm, a quick followup from the article:
> Notes
>
> This remote vulnerability in PHP's new "security" feature was fixed
> with the PHP 5.2.1 update, after we disclosed it to the vendor.
>
> As usual the vendor more or less hides this serious security
> vulnerability from PHP users by only mentioning it as "Fixed a
> number of input processing bugs inside the filter extension." in
> the release notes. We strongly believe that a responsible vendor
> must act in a different way.
So it's fixed in a recent release.
--
Paul M. Jones <http://paul-m-jones.com>
Solar: Simple Object Library and Application Repository
for PHP5. <http://solarphp.com>
Join the Solar community wiki! <http://solarphp.org>
Savant: The simple, elegant, and powerful solution for
templates in PHP. <http://phpsavant.com>
More information about the solar-talk
mailing list