Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29536
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 5482 invoked by uid 1010); 19 May 2007 07:32:49 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 5467 invoked from network); 19 May 2007 07:32:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 May 2007 07:32:49 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1
Received: from [63.205.162.114] ([63.205.162.114:8194] helo=us-ex1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D3/B2-00717-F18AE464 for <internals@lists.php.net>; Sat, 19 May 2007 03:32:49 -0400
Received: from [127.0.0.1] ([192.168.17.30]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Sat, 19 May 2007 00:32:45 -0700
Message-ID: <464EA816.20406@zend.com>
Date: Sat, 19 May 2007 00:32:38 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: Stefan Esser <sesser@hardened-php.net>
CC:  internals@lists.php.net
References: <464DCB8C.90803@chiaraquartet.net> <7d5a202f0705181813l221248cdu85197a82a1ee4227@mail.gmail.com> <464E5856.5000901@zend.com> <464EA287.5020605@hardened-php.net>
In-Reply-To: <464EA287.5020605@hardened-php.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 19 May 2007 07:32:45.0615 (UTC) FILETIME=[E4A963F0:01C799E7]
Subject: Re: [PHP-DEV] potential solution to user streams + allow_url_include=off
From: stas@zend.com (Stanislav Malyshev)

> At the moment they are very predictable. You send them a security bug
>  and first they try to tell you that you are totally wrong (because
> you made a

I wonder if you actually aware of the fact that there's no such single
entity as "PHP developers" and each of them is entirely different living
human? And these humans sometimes are in disagreement and some of them
are wrong? And then the thing called "discussion" happens and it's not
always about conspiring against certain security researchers? There's no 
"them". Try to think about it for a minute.

> They will do something else to prove that they "outsmarted" you. Yeah

I wonder also if you are aware of the fact that not everybody is 
concerned with the question of who outsmarts whom here but some actually 
more concerned about fixing actual problems?

> guess what their fix is of course not a solution and as usual fixes
> just one of the symptoms.

If you are aware of some security problems in current PHP sources you 
are as always welcome to report them and they will be fixed. I think 
everybody here as always are thankful for any help we can get.
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/