Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26257 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51429 invoked by uid 1010); 25 Oct 2006 22:21:01 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 51413 invoked from network); 25 Oct 2006 22:21:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Oct 2006 22:21:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4216] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C5/B1-29903-D43EF354 for ; Wed, 25 Oct 2006 18:21:01 -0400 Received: (qmail 53936 invoked by uid 98); 25 Oct 2006 22:21:01 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-1.25 (clamdscan: 0.88.4/2097. Clear:RC:1(127.0.0.1):. Processed in 0.336488 secs); 25 Oct 2006 22:21:01 -0000 X-Qmail-Scanner-Mail-From: ceo@l-i-e.com via o2.hostbaby.com X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 0.336488 secs) Received: from unknown (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 25 Oct 2006 22:21:01 -0000 Received: from 208.195.234.246 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Wed, 25 Oct 2006 17:21:01 -0500 (CDT) Message-ID: <42719.208.195.234.246.1161814861.squirrel@www.l-i-e.com> In-Reply-To: <453D4FC1.5010104@lerdorf.com> References: <453C81F8.7080606@hardened-php.net> <453CFE17.5020809@lerdorf.com> <9hiqj2dupeap8a98pfisf637joqhobd8jq@4ax.com> <453D4FC1.5010104@lerdorf.com> Date: Wed, 25 Oct 2006 17:21:01 -0500 (CDT) To: "Rasmus Lerdorf" Cc: "Peter Brodersen" , "PHP internals" Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] PHP 5.2.0 release with "broken" input filters From: ceo@l-i-e.com ("Richard Lynch") On Mon, October 23, 2006 6:26 pm, Rasmus Lerdorf wrote: > Peter Brodersen wrote: >> On Mon, 23 Oct 2006 10:38:31 -0700, in php.internals >> rasmus@lerdorf.com (Rasmus Lerdorf) wrote: >> >>> I had left out SERVER filtering in the initial version for much the >>> same >>> reasoning, but it turns out that a good chunk of holes were due to >>> the >>> fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying >>> to >>> teach people which SERVER vars are safe and which aren't isn't a >>> fun >>> task and the whole point of the filter extension is to take away >>> the >>> guessing game. >> >> More well-known, the same goes for the HTTP headers populated in >> _SERVER as well, even though some might be less obvious than other. >> >> HTTP_HOST could be tainted as well in some cases where a DNS entry >> and >> ServerAlias of *.example.com exists. > > Actually, by using the Flash hack, you don't need wildcard DNS to > exploit that one. As anybody who has seen my ranting lately can > attest > to, name-based virtual hosting is completely broken until we get > everyone onto Flash9. Haven't read the rant (yet) but, errrr, have they released Flash anything in this millenium for Linux?... Cuz it seems like I never can manage to get to download anything higher than Flash Player 6 for my Linux box desktop at home. Which is ancient hardware/OS, so maybe that's the issue... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?