Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:55827
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43563 invoked from network); 16 Oct 2011 23:00:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Oct 2011 23:00:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.143 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 67.192.241.143 smtp143.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.143] ([67.192.241.143:55340] helo=smtp143.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4A/FA-07463-0F16B9E4 for <internals@lists.php.net>; Sun, 16 Oct 2011 19:00:04 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp14.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 71E11298742;
	Sun, 16 Oct 2011 18:59:57 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp14.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id DABCC298401;
	Sun, 16 Oct 2011 18:59:56 -0400 (EDT)
Message-ID: <4E9B61EC.3090604@sugarcrm.com>
Date: Sun, 16 Oct 2011 15:59:56 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Pierre Joye <pierre.php@gmail.com>
CC: Rasmus Lerdorf <rasmus@lerdorf.com>, Alan Knowles <alan@akbkhome.com>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <4E969596.4090704@akbkhome.com>	<4E970257.2010906@sugarcrm.com> <4E977A4B.4020609@akbkhome.com>	<4E977D07.4010503@lerdorf.com> <4E9A1E93.6050804@sugarcrm.com> <CAEZPtU6R8g2-R91yO6Kd9uSCJ0mEJoO2Sx-utQqwauv6kxmFXw@mail.gmail.com> <4E9B2D02.2080206@sugarcrm.com> <CAEZPtU5O=OC7nT_qRevZ42D1_6M_fw9wzVVme6Q=F6_JdBe1BA@mail.gmail.com>
In-Reply-To: <CAEZPtU5O=OC7nT_qRevZ42D1_6M_fw9wzVVme6Q=F6_JdBe1BA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] is_a fix for 5.4 and HEAD
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

On 10/16/11 2:14 PM, Pierre Joye wrote:
> We have discussed that already on security, I barely see a reason to
> begin this discussion again. There is a clear possible security
> problem, clearly identified and not present before this "fix" was
> applied. It is easy to fix and does not make PHP worst or better than
> what it is now but only ensure that there is no BC, or new security
> issues.

Yes, the security problem was present before the fix was applied, and we 
discussed it on security where I repeatedly pointed out that this code 
has security hole regardless of any changes in PHP, the change only adds 
one scenario where it can be exploited, but there are many others.
It definitely makes PHP worse by propagating inconsistent APIs.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227