Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:31376
Return-Path: <helly@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28694 invoked by uid 1010); 2 Aug 2007 13:27:16 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 28679 invoked from network); 2 Aug 2007 13:27:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Aug 2007 13:27:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=helly@php.net; spf=unknown; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=helly@php.net; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 85.214.94.56 as permitted sender)
X-PHP-List-Original-Sender: helly@php.net
X-Host-Fingerprint: 85.214.94.56 aixcept.net Linux 2.6
Received: from [85.214.94.56] ([85.214.94.56:53176] helo=h1149922.serverkompetenz.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AE/32-08975-1BBD1B64 for <internals@lists.php.net>; Thu, 02 Aug 2007 09:27:14 -0400
Received: from dhcp-172-30-11-223.zrh.corp.google.com (unknown [216.239.55.7])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by h1149922.serverkompetenz.net (Postfix) with ESMTP id D39BE1B3524;
	Thu,  2 Aug 2007 15:27:10 +0200 (CEST)
Date: Thu, 2 Aug 2007 15:27:10 +0200
Reply-To: Marcus Boerger <helly@php.net>
X-Priority: 3 (Normal)
Message-ID: <646722839.20070802152710@marcus-boerger.de>
To: Ilia Alshanetsky <ilia@prohost.org>
CC: Marcus Boerger <helly@php.net>, PHP Internals <internals@lists.php.net>
In-Reply-To: <79496594-20B5-40C4-AC22-1F3DE99BA695@prohost.org>
References: <46B129BE.3050807@zend.com> <DAEB7BF7-6892-4823-9B5C-CCEDE4532462@prohost.org> <403752205.20070802134118@marcus-boerger.de> <79496594-20B5-40C4-AC22-1F3DE99BA695@prohost.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] ini system patch
From: helly@php.net (Marcus Boerger)

Hello Ilia,

  i'd suggest so. From my perspective 5.2 is pretty stable, tested and
secure now. But more and more people want more and more stuff into 5.*.
So i think we should change into a strict RM approval equired security
fixes only mode for 5.2 and start on 5.3. Also i think we should give
that at least three month for adding new stuff. Major things i'd like
to see would be namespaces and adding pecl packages icu (or whatever
the name is) plus phar. Well we have the todo on lukas' site.

marcus

Thursday, August 2, 2007, 2:15:13 PM, you wrote:

> Marcus,

> Well, do you propose we leave the issue be until 5.3?


> On 2-Aug-07, at 7:41 AM, Marcus Boerger wrote:

>> Hello Ilia,
>>
>>   as much as i agree with ading the stage it is a BC issue!
>>
>> Thursday, August 2, 2007, 3:26:00 AM, you wrote:
>>
>>> Stas,
>>
>>> It looks like the best solution in this case. I don't like the idea
>>> of introducing another INI stage in minor release, but I can't think
>>> of a better way to address this issue at this time and I cannot
>>> imagine it breaking much stuff.
>>
>>> On 1-Aug-07, at 8:47 PM, Stanislav Malyshev wrote:
>>
>>>> Hi!
>>>>
>>>> The attached patch implements the following improvement in Apache
>>>> module configuration handling:
>>>>
>>>> New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values
>>>> set in .htaccess are passed to handlers with
>>>> ZEND_INI_STAGE_HTACCESS instead of ZEND_INI_STAGE_ACTIVATE.
>>>>
>>>> The reason for this is that there are values - one of them being
>>>> session.save_handler - that we want to allow administrator to set
>>>> to arbitrary values, even not inside open_basedir/safe_mode
>>>> restrictions, while we do want user-set values to be inside limits.
>>>> The problem was that right now there's no way to see if the value
>>>> is set from httpd.conf (admin) or from .htaccess (frequently user-
>>>> accessible and user-writable). This patch enables to make such
>>>> distinction.
>>>> I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE but if
>>>> there would be they can easily be fixed to work with
>>>> ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2 SAPI
>>>> only, but same one would be needed for apache1 API.
>>>>
>>>> This patch will allow proper fix for CVE-2007-3378 (current one
>>>> breaks BC).
>>>>
>>>> Comments/objections?
>>>> --  
>>>> Stanislav Malyshev, Zend Software Architect
>>>> stas@zend.com   http://www.zend.com/
>>>> (408)253-8829   MSN: stas@zend.com
>>>> Index: Zend/zend_ini.h
>>>> ===================================================================
>>>> RCS file: /repository/ZendEngine2/zend_ini.h,v
>>>> retrieving revision 1.34.2.1.2.3
>>>> diff -u -r1.34.2.1.2.3 zend_ini.h
>>>> --- Zend/zend_ini.h   1 Jan 2007 09:35:46 -0000       1.34.2.1.2.3
>>>> +++ Zend/zend_ini.h   2 Aug 2007 00:40:52 -0000
>>>> @@ -189,6 +189,7 @@
>>>>  #define ZEND_INI_STAGE_ACTIVATE              (1<<2)
>>>>  #define ZEND_INI_STAGE_DEACTIVATE    (1<<3)
>>>>  #define ZEND_INI_STAGE_RUNTIME               (1<<4)
>>>> +#define ZEND_INI_STAGE_HTACCESS              (1<<5)
>>>>
>>>>  /* INI parsing engine */
>>>>  typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int
>>>> callback_type, void *arg);
>>>> Index: sapi/apache2handler/apache_config.c
>>>> ===================================================================
>>>> RCS file: /repository/php-src/sapi/apache2handler/apache_config.c,v
>>>> retrieving revision 1.7.2.1.2.2
>>>> diff -u -r1.7.2.1.2.2 apache_config.c
>>>> --- sapi/apache2handler/apache_config.c       1 Jan 2007 09:36:12  
>>>> -0000
>>>> 1.7.2.1.2.2
>>>> +++ sapi/apache2handler/apache_config.c       2 Aug 2007 00:40:52  
>>>> -0000
>>>> @@ -51,6 +51,7 @@
>>>>       char *value;
>>>>       size_t value_len;
>>>>       char status;
>>>> +    char htaccess;
>>>>  } php_dir_entry;
>>>>
>>>>  static const char *real_value_hnd(cmd_parms *cmd, void *dummy,
>>>> const char *name, const char *value, int status)
>>>> @@ -67,7 +68,8 @@
>>>>       e.value = apr_pstrdup(cmd->pool, value);
>>>>       e.value_len = strlen(value);
>>>>       e.status = status;
>>>> -
>>>> +     e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF)) == 0);
>>>> +
>>>>       zend_hash_update(&d->config, (char *) name, strlen(name) +  
>>>> 1, &e,
>>>> sizeof(e), NULL);
>>>>       return NULL;
>>>>  }
>>>> @@ -170,7 +172,7 @@
>>>>                       zend_hash_move_forward(&d->config)) {
>>>>               zend_hash_get_current_data(&d->config, (void **)  
>>>> &data);
>>>>               phpapdebug((stderr, "APPLYING (%s)(%s)\n", str,  
>>>> data->value));
>>>> -             if (zend_alter_ini_entry(str, str_len, data->value,  
>>>> data-
>>>>> value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) {
>>>> +             if (zend_alter_ini_entry(str, str_len, data->value,  
>>>> data-
>>>>> value_len, data->status, data->htaccess?
>>>> ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) {
>>>>                       phpapdebug((stderr, "..FAILED\n"));
>>>>               }
>>>>       }
>>>>
>>>> -- 
>>>> PHP Internals - PHP Runtime Development Mailing List
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>> Ilia Alshanetsky
>>
>>
>>
>>
>> Best regards,
>>  Marcus
>>

> Ilia Alshanetsky




Best regards,
 Marcus