Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33128
Return-Path: <egutesman@coresecurity.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14773 invoked by uid 1010); 14 Nov 2007 14:33:01 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 14758 invoked from network); 14 Nov 2007 14:33:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Nov 2007 14:33:01 -0000
Authentication-Results: pb1.pair.com header.from=egutesman@coresecurity.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=egutesman@coresecurity.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain coresecurity.com designates 200.123.107.164 as permitted sender)
X-PHP-List-Original-Sender: egutesman@coresecurity.com
X-Host-Fingerprint: 200.123.107.164 mail.corest.com OpenBSD 3.0-3.4 (scrub)
Received: from [200.123.107.164] ([200.123.107.164:17934] helo=mail.corest.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 87/13-55670-3170B374 for <internals@lists.php.net>; Wed, 14 Nov 2007 09:32:55 -0500
Received: from webmail.corest.com (lan-107-165.coresecurity.com [200.123.107.165])
	by sin.core-sdi.com (mail system) with ESMTP id 822F05EA810;
	Wed, 14 Nov 2007 14:32:48 +0000 (GMT)
Message-ID: <473B070F.4090209@coresecurity.com>
Date: Wed, 14 Nov 2007 11:32:47 -0300
Organization: Core Security Technologies
MIME-Version: 1.0
To: PHP Internals <internals@lists.php.net>, 
 grasp-discussion@coresecurity.com,  grasp-users@coresecurity.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: CORE GRASP Release update
From: egutesman@coresecurity.com (Ezequiel Gutesman)

Hi all,

We have just released an update for CORE GRASP (version 3).  In this
version, we enhanced mark propagation by implementing marks inside pcre
module and provided a first step into cross-site scripting prevention,
which will be the focus of our next release. We also fixed some bugs. We
appreciate the contributions that were made so far.

CHANGELOG
---------
    * Secmark propagation for all regular expressions in pcre module,
including new regression tests.
    * New 'S' placeholder for zend_parse_parameters(), which includes
the strings' secmark as a result. This may be useful for module
developers wishing to propagate secmarks through their code.
    * Secmark propagation for htmlentities() & htmlspecialchars(). This
is a requirement for XSS prevention.
    * Bugfix in two mysql regression tests, which involved hardcoded
paths to the logfile.
    * Bugfix in smart_str_appendl, involving FULL+FULL or NONE+NONE
appends being allocated as mixed.

All documents have been updated and can be downloaded from:
http://grasp.coresecurity.com/index.php?m=doc

CORE GRASP distributions can be downloaded from:
http://grasp.coresecurity.com/index.php?m=dld

Again, we invite you to contribute with proposals, discussions and comments.

Feel free to write in this mailing list and share your thoughts.


Regards,

The CORE GRASP team.
http://grasp.coresecurity.com