Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:17022
Return-Path: <nelson@crynwr.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1273 invoked by uid 1010); 30 Jun 2005 00:06:29 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 1258 invoked from network); 30 Jun 2005 00:06:29 -0000
Received: from unknown (HELO crynwr.com) (127.0.0.1)
  by localhost with SMTP; 30 Jun 2005 00:06:29 -0000
X-Host-Fingerprint: 192.203.178.14 ns1.crynwr.com Linux 2.0.3x (1)
Received: from ([192.203.178.14:1982] helo=ns1.crynwr.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 18/09-42553-48733C24 for <internals@lists.php.net>; Wed, 29 Jun 2005 20:06:28 -0400
Received: (qmail 1454 invoked from network); 30 Jun 2005 00:06:23 -0000
Received: from dpc6745223014.direcpc.com (HELO desk.crynwr.com) (67.45.223.14)
	by pdam.crynwr.com with SMTP; 30 Jun 2005 00:06:23 -0000
Received: (qmail 11927 invoked by uid 500); 30 Jun 2005 00:05:47 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=dog; d=crynwr.com;
	b=WDjU78Whm6wma7oDrxpMt+Fer4uuHJ/PjhJpOOsjrurFBatWzcX8qwnyDhRI/yAQ  ;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <17091.14171.54948.306165@desk.crynwr.com>
Date: Wed, 29 Jun 2005 20:05:47 -0400
To: internals@lists.php.net
In-Reply-To: <42C322E1.1010608@lerdorf.com>
References: <42BDDC82.6020208@ohgaki.net>
	<42C0CF76.6090203@lerdorf.com>
	<42C0F4DA.4000605@php.net>
	<17089.18702.450236.614561@desk.crynwr.com>
	<1119998580.13690.109.camel@localhost>
	<17089.63833.772427.529013@desk.crynwr.com>
	<42C1FF2A.4000006@fission.org.uk>
	<17090.9316.148303.68882@desk.crynwr.com>
	<30bd802405062822091191c8fc@mail.gmail.com>
	<17090.15074.92337.224192@desk.crynwr.com>
	<a440ea0805062912273b431c4b@mail.gmail.com>
	<17091.6714.614244.751950@desk.crynwr.com>
	<42C322E1.1010608@lerdorf.com>
X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid
Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL
From: nelson@crynwr.com (Russell Nelson)

Rasmus Lerdorf writes:
 > Forget your Google searches and go look at actual vulnerability reports
 > for the last 3 months.

Vulnerability reports are not a reasonable statistical sample.  They
aren't random.  Also, people who report vulnerabilities are likely to
stop reporting them if the maintainers of the software make it clear
that the vulnerability won't get fixed.  Why waste your time reporting
an 'include' break-in?  After all, it's not a vulnerability -- many
people have told me that already.

For example, I didn't report the two include vulnerabilities I found.
Why should I?  What problem would be solved by me reporting a security
flaw that I ought to have known about before-hand?

Google, on the other hand, tries to give you the most appropriate page
when you search for something.

-- 
--My blog is at     blog.russnelson.com         | If you want to find
Crynwr sells support for free software  | PGPok | injustice in economic
521 Pleasant Valley Rd. | +1 315-323-1241       | affairs, look for the
Potsdam, NY 13676-3213  |                       | hand of a legislator.