Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:31377 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 39482 invoked by uid 1010); 2 Aug 2007 14:08:28 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 39466 invoked from network); 2 Aug 2007 14:08:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2007 14:08:28 -0000 Authentication-Results: pb1.pair.com smtp.mail=jani.taskinen@sci.fi; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=jani.taskinen@sci.fi; sender-id=unknown Received-SPF: error (pb1.pair.com: domain sci.fi from 63.208.196.171 cause and error) X-PHP-List-Original-Sender: jani.taskinen@sci.fi X-Host-Fingerprint: 63.208.196.171 outbound.mailhop.org FreeBSD 4.6-4.9 Received: from [63.208.196.171] ([63.208.196.171:1155] helo=outbound.mailhop.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C3/43-08975-855E1B64 for ; Thu, 02 Aug 2007 10:08:26 -0400 Received: from [81.22.163.71] (helo=[10.6.109.103]) by outbound.mailhop.org with esmtpsa (SSLv3:RC4-MD5:128) (Exim 4.63) (envelope-from ) id 1IGbLf-000MBS-TJ; Thu, 02 Aug 2007 10:08:21 -0400 X-MHO-User: U2FsdGVkX1+EPf/myQYIOuRRmEieZw1aHRW/iVLYaCo= X-MHO-User: U2FsdGVkX1+wBaO0/OEVuJGByBD9CNJgGgh+abWq5A0= X-Mail-Handler: MailHop Outbound by DynDNS X-Originating-IP: 81.22.163.71 X-Report-Abuse-To: abuse@dyndns.com (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX19YqCfCp0Y73D1X3dB0o3uzE7vJ15MxkEg= Reply-To: jani.taskinen@iki.fi To: Marcus Boerger Cc: Ilia Alshanetsky , PHP Internals In-Reply-To: <646722839.20070802152710@marcus-boerger.de> References: <46B129BE.3050807@zend.com> <403752205.20070802134118@marcus-boerger.de> <79496594-20B5-40C4-AC22-1F3DE99BA695@prohost.org> <646722839.20070802152710@marcus-boerger.de> Content-Type: text/plain Date: Thu, 02 Aug 2007 17:08:18 +0300 Message-ID: <1186063698.3348.2.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.8.3 (2.8.3-2.fc6) Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] ini system patch From: jani.taskinen@sci.fi (Jani Taskinen) I have the new php.ini scanner/parser cooking up (99% done) and some new features in the ini file handling in general (1% done). So we need to get 5.2.4 out the door and close PHP_5_2 (only security fixes!). Then start PHP_5_3. Right? :) --Jani On Thu, 2007-08-02 at 15:27 +0200, Marcus Boerger wrote: > Hello Ilia, > > i'd suggest so. From my perspective 5.2 is pretty stable, tested and > secure now. But more and more people want more and more stuff into 5.*. > So i think we should change into a strict RM approval equired security > fixes only mode for 5.2 and start on 5.3. Also i think we should give > that at least three month for adding new stuff. Major things i'd like > to see would be namespaces and adding pecl packages icu (or whatever > the name is) plus phar. Well we have the todo on lukas' site. > > marcus > > Thursday, August 2, 2007, 2:15:13 PM, you wrote: > > > Marcus, > > > Well, do you propose we leave the issue be until 5.3? > > > > On 2-Aug-07, at 7:41 AM, Marcus Boerger wrote: > > >> Hello Ilia, > >> > >> as much as i agree with ading the stage it is a BC issue! > >> > >> Thursday, August 2, 2007, 3:26:00 AM, you wrote: > >> > >>> Stas, > >> > >>> It looks like the best solution in this case. I don't like the idea > >>> of introducing another INI stage in minor release, but I can't think > >>> of a better way to address this issue at this time and I cannot > >>> imagine it breaking much stuff. > >> > >>> On 1-Aug-07, at 8:47 PM, Stanislav Malyshev wrote: > >> > >>>> Hi! > >>>> > >>>> The attached patch implements the following improvement in Apache > >>>> module configuration handling: > >>>> > >>>> New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values > >>>> set in .htaccess are passed to handlers with > >>>> ZEND_INI_STAGE_HTACCESS instead of ZEND_INI_STAGE_ACTIVATE. > >>>> > >>>> The reason for this is that there are values - one of them being > >>>> session.save_handler - that we want to allow administrator to set > >>>> to arbitrary values, even not inside open_basedir/safe_mode > >>>> restrictions, while we do want user-set values to be inside limits. > >>>> The problem was that right now there's no way to see if the value > >>>> is set from httpd.conf (admin) or from .htaccess (frequently user- > >>>> accessible and user-writable). This patch enables to make such > >>>> distinction. > >>>> I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE but if > >>>> there would be they can easily be fixed to work with > >>>> ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2 SAPI > >>>> only, but same one would be needed for apache1 API. > >>>> > >>>> This patch will allow proper fix for CVE-2007-3378 (current one > >>>> breaks BC). > >>>> > >>>> Comments/objections? > >>>> -- > >>>> Stanislav Malyshev, Zend Software Architect > >>>> stas@zend.com http://www.zend.com/ > >>>> (408)253-8829 MSN: stas@zend.com > >>>> Index: Zend/zend_ini.h > >>>> =================================================================== > >>>> RCS file: /repository/ZendEngine2/zend_ini.h,v > >>>> retrieving revision 1.34.2.1.2.3 > >>>> diff -u -r1.34.2.1.2.3 zend_ini.h > >>>> --- Zend/zend_ini.h 1 Jan 2007 09:35:46 -0000 1.34.2.1.2.3 > >>>> +++ Zend/zend_ini.h 2 Aug 2007 00:40:52 -0000 > >>>> @@ -189,6 +189,7 @@ > >>>> #define ZEND_INI_STAGE_ACTIVATE (1<<2) > >>>> #define ZEND_INI_STAGE_DEACTIVATE (1<<3) > >>>> #define ZEND_INI_STAGE_RUNTIME (1<<4) > >>>> +#define ZEND_INI_STAGE_HTACCESS (1<<5) > >>>> > >>>> /* INI parsing engine */ > >>>> typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int > >>>> callback_type, void *arg); > >>>> Index: sapi/apache2handler/apache_config.c > >>>> =================================================================== > >>>> RCS file: /repository/php-src/sapi/apache2handler/apache_config.c,v > >>>> retrieving revision 1.7.2.1.2.2 > >>>> diff -u -r1.7.2.1.2.2 apache_config.c > >>>> --- sapi/apache2handler/apache_config.c 1 Jan 2007 09:36:12 > >>>> -0000 > >>>> 1.7.2.1.2.2 > >>>> +++ sapi/apache2handler/apache_config.c 2 Aug 2007 00:40:52 > >>>> -0000 > >>>> @@ -51,6 +51,7 @@ > >>>> char *value; > >>>> size_t value_len; > >>>> char status; > >>>> + char htaccess; > >>>> } php_dir_entry; > >>>> > >>>> static const char *real_value_hnd(cmd_parms *cmd, void *dummy, > >>>> const char *name, const char *value, int status) > >>>> @@ -67,7 +68,8 @@ > >>>> e.value = apr_pstrdup(cmd->pool, value); > >>>> e.value_len = strlen(value); > >>>> e.status = status; > >>>> - > >>>> + e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF)) == 0); > >>>> + > >>>> zend_hash_update(&d->config, (char *) name, strlen(name) + > >>>> 1, &e, > >>>> sizeof(e), NULL); > >>>> return NULL; > >>>> } > >>>> @@ -170,7 +172,7 @@ > >>>> zend_hash_move_forward(&d->config)) { > >>>> zend_hash_get_current_data(&d->config, (void **) > >>>> &data); > >>>> phpapdebug((stderr, "APPLYING (%s)(%s)\n", str, > >>>> data->value)); > >>>> - if (zend_alter_ini_entry(str, str_len, data->value, > >>>> data- > >>>>> value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) { > >>>> + if (zend_alter_ini_entry(str, str_len, data->value, > >>>> data- > >>>>> value_len, data->status, data->htaccess? > >>>> ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) { > >>>> phpapdebug((stderr, "..FAILED\n")); > >>>> } > >>>> } > >>>> > >>>> -- > >>>> PHP Internals - PHP Runtime Development Mailing List > >>>> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >>> Ilia Alshanetsky > >> > >> > >> > >> > >> Best regards, > >> Marcus > >> > > > Ilia Alshanetsky > > > > > Best regards, > Marcus >