Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29668
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <31.DC.45352.99443564@pb1.pair.com>
To: internals@lists.php.net
Date: Tue, 22 May 2007 21:29:26 +0200
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
References: <465022BE.1020905@hardened-php.net> <46510370.4050409@lerdorf.com>
In-Reply-To: <46510370.4050409@lerdorf.com>
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Dismantling the lies...
From: phpinternals@thunder-2000.com (Mathias Bank)

Rasmus Lerdorf schrieb:
> Adding a check on every refcount increase is a bit
> scary for the performance folks.  It may be that in most realworld cases
> this is an acceptable performance tradeoff.  We have to balance the
> seriousness of the vulnerability against the performance cost of the
> fix.

Sorry, but I don't agree with you. You have to think about people, who
are concerned in performance. Performance is relevant in big web
applications. And I think, that in such big applications security is one
of the most important things. I think, no responsible person would
decide to use php for a performance critical application when he/she
knows, that there is a security leak.

In this way, I'm sure, that security is more important.

Mathias