Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29603 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86709 invoked by uid 1010); 21 May 2007 07:10:48 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 86686 invoked from network); 21 May 2007 07:10:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 May 2007 07:10:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6 Received: from [81.169.159.221] ([81.169.159.221:46510] helo=mail.hardened-php.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A1/00-20243-2C541564 for ; Mon, 21 May 2007 03:09:58 -0400 Received: from [192.168.1.77] (p5B006C97.dip.t-dialin.net [91.0.108.151]) by mail.hardened-php.net (Postfix) with ESMTP id 527351202B3; Mon, 21 May 2007 07:43:52 +0200 (CEST) Message-ID: <4651454B.4080000@hardened-php.net> Date: Mon, 21 May 2007 09:07:55 +0200 User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Stanislav Malyshev Cc: David , internals@lists.php.net References: <465022BE.1020905@hardened-php.net> <7d5a202f0705201415s71982fd2jb61b8bffbb7ba6de@mail.gmail.com> <46513546.5000303@zend.com> <7d5a202f0705202303s2ff4d0cdg1157c1e245c3c2e4@mail.gmail.com> <46513745.7030701@zend.com> <000001c79b71$543e0970$fcba1c50$@com> <46513E93.5000902@hardened-php.net> <465140BE.8050502@zend.com> In-Reply-To: <465140BE.8050502@zend.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Dismantling the lies... From: sesser@hardened-php.net (Stefan Esser) Stanislav Malyshev schrieb: >> I am fully aware that it can be made faster. But a slow solution is >> better than no solution at all. > > Actually in many situations it isn't. Since as far as I can see the > problem can lead to real harm only in rather limited set of > situations, making the engine always considerably slower just to fix > it does not seem a very good solution to me. Well yes. I think to solve this "once and for all" a public statement by the PHP group would be nice that says: We think that local vulnerabilities that allow people who managed to execute PHP code on the server through a PHP script vulnerability or those on shared hosting to launch further attacks, like stealing data from apache memory or takeover the webserver socket (when mod_php is used) or to launch direct kernel exploits (which would not be possible if PHP would be secure), or a bunch of other attacks that are not possible from PHP code, are not important. We therefore won't fix them. This statement would be honest and would be a good warning sign for people to choose another language. Stefan Esser