Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27052 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72260 invoked by uid 1010); 16 Dec 2006 21:41:18 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 72245 invoked from network); 16 Dec 2006 21:41:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2006 21:41:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.82.224 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: iliaal@gmail.com X-Host-Fingerprint: 66.249.82.224 wx-out-0506.google.com Linux 2.4/2.6 Received: from [66.249.82.224] ([66.249.82.224:37936] helo=wx-out-0506.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AA/59-22993-8B764854 for ; Sat, 16 Dec 2006 16:40:43 -0500 Received: by wx-out-0506.google.com with SMTP id i27so1083644wxd for ; Sat, 16 Dec 2006 13:40:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender; b=UaCUwY7T4LZFqW9csCNnQrp82SiZUHAGECdx4WTcchfa6ZYqfLcH1xqRg2vSF3psUoRLJ7C3nDfVUGS73sm/ufCgRN1tKbmV9W1BxGoQSlcMRR107W7T/IaYLosJRF63aGkcyboPqo+lWlQNERLkPHCFFm2YW/kqHAuI84XEM2A= Received: by 10.70.90.12 with SMTP id n12mr3992535wxb.1166305206309; Sat, 16 Dec 2006 13:40:06 -0800 (PST) Received: from ?192.168.1.5? ( [74.108.69.82]) by mx.google.com with ESMTP id 3sm364059wrh.2006.12.16.13.40.05; Sat, 16 Dec 2006 13:40:05 -0800 (PST) In-Reply-To: <45846491.6020101@zend.com> References: <20061215201448.B16D8BC1AB@spike.porcupine.org> <7AE00699-23C2-4759-A50C-3D94199DA85A@prohost.org> <45831090.1000704@zend.com> <18A7CF93-7BFD-4764-847D-6C107A62875E@prohost.org> <45831A87.6050301@zend.com> <45832B9B.2080109@zend.com> <8BC86061-CCC5-45C3-8C40-92B06ADBB117@prohost.org> <45832F71.2080503@zend.com> <7C8CB695-3E81-4009-9699-2499DBF7B366@prohost.org> <4583375C.5060302@zend.com> <2F093E93-7021-4C0F-A391-A99CBF080596@prohost.org> <45833C93.4020909@zend.com> <87774C2D-1959-459A-B892-F2F6F6A5C676@prohost.org> <45835ABE.5040909@zend.com> <6526D55D-DC87-40D4-8335-CCB0FA810646@prohost.org> <45846491.6020101@zend.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: <7FD783B9-68A7-4EC7-B6C3-8DBC44A51597@prohost.org> Cc: PHP internals Content-Transfer-Encoding: 7bit Date: Sat, 16 Dec 2006 16:40:01 -0500 To: Stanislav Malyshev X-Mailer: Apple Mail (2.752.3) Sender: Ilia Alshanetsky Subject: Re: [PHP-DEV] Run-time taint support proposal From: ilia@prohost.org (Ilia Alshanetsky) On 16-Dec-06, at 4:26 PM, Stanislav Malyshev wrote: > If you know of vulnerability on zend.com, please write to > webmaster@zend.com, that would be only responsible course of > action. However, I do not see how having vulnerabilities imply not > caring for security. That's my point (and for record previous exploits in the Zend site were reported several times) just because a mistake was made does not mean you don't care about security. Same logic must apply to phpinfo (), someone created it for debugging and forgot to remove and the search engine stumbled across it. It happens. >> You're not helping them, just making assumptions about how their >> code should work and making them adhere to them. > > Yes, and this is helping. Every language does that. Saying "you > can't make 100% work exactly as I wanted without any effort, so > entire thing isn't even worth discussing" is a road nowhere. > There's a lot of places it would be helpful, and there's a lot of > places it won't - and that's ok. I am saying that you should not try to outsmart the developer because you assume you know best. Ilia Alshanetsky