Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27050 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52249 invoked by uid 1010); 16 Dec 2006 20:19:38 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 52234 invoked from network); 16 Dec 2006 20:19:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2006 20:19:38 -0000 Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.82.225 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: iliaal@gmail.com X-Host-Fingerprint: 66.249.82.225 wx-out-0506.google.com Linux 2.4/2.6 Received: from [66.249.82.225] ([66.249.82.225:11845] helo=wx-out-0506.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AF/F6-22993-49454854 for ; Sat, 16 Dec 2006 15:19:03 -0500 Received: by wx-out-0506.google.com with SMTP id i27so1069683wxd for ; Sat, 16 Dec 2006 12:18:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender; b=Lm8rNpR3Hw3U7Ui/nSx4E9wINc70OJLYHeDwMP7SZA2uDsSCnuzptzzDs3Nl1+ejCmVKa9BSTH/OKA6vcmh6IZnUEDd9T243+50hF6fWnzfsVwmnjLk17Hnx5lH4NyNmvJ5K1D2fgFWrowSfiEDV9z2AkUukXKYHmod6/VfQkA4= Received: by 10.70.113.5 with SMTP id l5mr3831514wxc.1166300306251; Sat, 16 Dec 2006 12:18:26 -0800 (PST) Received: from ?192.168.1.5? ( [74.108.69.82]) by mx.google.com with ESMTP id 9sm1324162wrl.2006.12.16.12.18.25; Sat, 16 Dec 2006 12:18:25 -0800 (PST) In-Reply-To: <45835ABE.5040909@zend.com> References: <20061215201448.B16D8BC1AB@spike.porcupine.org> <7AE00699-23C2-4759-A50C-3D94199DA85A@prohost.org> <45831090.1000704@zend.com> <18A7CF93-7BFD-4764-847D-6C107A62875E@prohost.org> <45831A87.6050301@zend.com> <45832B9B.2080109@zend.com> <8BC86061-CCC5-45C3-8C40-92B06ADBB117@prohost.org> <45832F71.2080503@zend.com> <7C8CB695-3E81-4009-9699-2499DBF7B366@prohost.org> <4583375C.5060302@zend.com> <2F093E93-7021-4C0F-A391-A99CBF080596@prohost.org> <45833C93.4020909@zend.com> <87774C2D-1959-459A-B892-F2F6F6A5C676@prohost.org> <45835ABE.5040909@zend.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: <6526D55D-DC87-40D4-8335-CCB0FA810646@prohost.org> Cc: PHP internals Content-Transfer-Encoding: 7bit Date: Sat, 16 Dec 2006 15:18:19 -0500 To: Stanislav Malyshev X-Mailer: Apple Mail (2.752.3) Sender: Ilia Alshanetsky Subject: Re: [PHP-DEV] Run-time taint support proposal From: ilia@prohost.org (Ilia Alshanetsky) On 15-Dec-06, at 9:32 PM, Stanislav Malyshev wrote: >> It is not just the phpinfo() servers, it is very much a common >> case I assure you. > > Well, people leaving such things in their servers should deal with > it first, then get to talk about real security :) You seem to be ignoring the argument and clinging to a false assumption that only people with open phpinfo()s have disable_errors enabled. I guarantee you that is not the case for the most part. > No solution can help a person who deliberately configures his > server wide open. Accidentally leaving phpinfo(), is wide open? I suppose if I were to demonstrate a vulnerability on zend.com it would imply Zend does not care about security? > We are talking about people that _try_ to do it secure and we may > help them. You're not helping them, just making assumptions about how their code should work and making them adhere to them. Ilia Alshanetsky