Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:55816 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57026 invoked from network); 16 Oct 2011 10:39:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Oct 2011 10:39:21 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:53136] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 42/D2-30959-754BA9E4 for ; Sun, 16 Oct 2011 06:39:20 -0400 Received: by ywt32 with SMTP id 32so113539ywt.29 for ; Sun, 16 Oct 2011 03:39:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6aKJoXJ2ACFKVGJ/9Yc5Ee/0WfizGUYz8s+PQc1p+IY=; b=bQzMXwRnPg/4Im23X+xORgkWlibL/G9vlTIrWscJ6XrpmMfLSVV/VT9yJbyemoqUgd 30EoPkkPtPuXAGM+YTpl+9pMlw8dQ/cGAjTMppHhguhC9PUmwzeuv3RYCy3Z/qnhu79X J6eLRnAqi1MXX7Wi3Q0jV7pZYpc+6xKdNYfbE= MIME-Version: 1.0 Received: by 10.236.136.167 with SMTP id w27mr348298yhi.65.1318761555217; Sun, 16 Oct 2011 03:39:15 -0700 (PDT) Received: by 10.147.170.17 with HTTP; Sun, 16 Oct 2011 03:39:15 -0700 (PDT) In-Reply-To: <4E9A1E93.6050804@sugarcrm.com> References: <4E969596.4090704@akbkhome.com> <4E970257.2010906@sugarcrm.com> <4E977A4B.4020609@akbkhome.com> <4E977D07.4010503@lerdorf.com> <4E9A1E93.6050804@sugarcrm.com> Date: Sun, 16 Oct 2011 12:39:15 +0200 Message-ID: To: Stas Malyshev Cc: Rasmus Lerdorf , Alan Knowles , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] is_a fix for 5.4 and HEAD From: pierre.php@gmail.com (Pierre Joye) On Sun, Oct 16, 2011 at 2:00 AM, Stas Malyshev wrote: > Hi! > > On 10/13/11 5:06 PM, Rasmus Lerdorf wrote: >> >> I agree that it is slightly messy, but we have painted ourselves into a >> bit of a corner with the 5.3 mess. Stas, the whole point here is that >> changing the is_a() default in 5.3 caused huge problems, including >> security ones, so setting allow_string to false by default fixes that BC > > I've read complaints about is potentially causing security problems, but is > there code out there that was OK before and has security problem with this > change? I mean, a real-life app? There was example codes in previous discussions, here and on security. The document used for the CVE assignment has some as well. http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ https://bugs.php.net/bug.php?id=55475 https://bugzilla.redhat.com/show_bug.cgi?id=741020 Now whether this exact use case is used in a real life app, nobody can say it, but it really does not matter (or one can dig codesearch&co to find some). > I'm thinking maybe we should have this options - but maybe have both > defaults set to true? This way if you have buggy code and you absolutely > refuse to move to proper code you can easily fix it by putting false where > needed, but at least our API is not broken anymore. It is not correct. If a code, for whatever reason, was working fine until now then there is no reason one has to change it to make it work again, or even worst in this case, to make it safe again. And yes, I agree that this kind of code is ugly and should not have written that way, but we cannot do anything but be sure that we don't make this code even worst. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org