Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29534 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99764 invoked by uid 1010); 19 May 2007 07:08:57 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 99749 invoked from network); 19 May 2007 07:08:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 May 2007 07:08:57 -0000 Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6 Received: from [81.169.159.221] ([81.169.159.221:47148] helo=mail.hardened-php.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 36/02-00717-782AE464 for ; Sat, 19 May 2007 03:08:56 -0400 Received: from [192.168.1.77] (p5b006eac.dip.t-dialin.net [91.0.110.172]) by mail.hardened-php.net (Postfix) with ESMTP id D57021202A6; Sat, 19 May 2007 07:45:12 +0200 (CEST) Message-ID: <464EA287.5020605@hardened-php.net> Date: Sat, 19 May 2007 09:08:55 +0200 User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Stanislav Malyshev Cc: Cristian Rodriguez , internals@lists.php.net References: <464DCB8C.90803@chiaraquartet.net> <7d5a202f0705181813l221248cdu85197a82a1ee4227@mail.gmail.com> <464E5856.5000901@zend.com> In-Reply-To: <464E5856.5000901@zend.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] potential solution to user streams + allow_url_include=off From: sesser@hardened-php.net (Stefan Esser) Christian, I suggest that you simply stop arguing with PHP developers about security issues. The problem is that they don't understand them. They are too arrogant. They actually believe they know everything better. In such a situation there is only one healing. Stop giving them tips and let them run against walls again and again. With the last X releases and the again and again introduced BC breaks and additional security bugs they have pissed off already many of their users. At the moment they are very predictable. You send them a security bug and first they try to tell you that you are totally wrong (because you made a mistake by sending them a non working example). Then you recommend a way to fix it. But don't expect that they are fixing it the way you tell them... They will do something else to prove that they "outsmarted" you. Yeah guess what their fix is of course not a solution and as usual fixes just one of the symptoms. Stefan Esser