Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69891 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12686 invoked from network); 27 Oct 2013 09:25:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Oct 2013 09:25:38 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.175 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.175 mail-lb0-f175.google.com Received: from [209.85.217.175] ([209.85.217.175:37911] helo=mail-lb0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F9/19-45431-11CDC625 for ; Sun, 27 Oct 2013 04:25:38 -0500 Received: by mail-lb0-f175.google.com with SMTP id z5so1928034lbh.6 for ; Sun, 27 Oct 2013 02:25:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=b0bWLk9TX2EqjOvvr0TaL9+qGwNI8zUmLxCwt+GtHlw=; b=DLbUfH+hAh5++aWaQzy9UlyDSuZiDnVQau1ayElul8H1zqkhYvDccmiXFx8H3Y9APq G2xttmhKYacQUo6QC/ga7PaJv4WkBxlTxs132YgC9AmThZ7a+X6jnnm7L64xdX3vlo5U EC9inLeljhR3Zo+Zlgwbg6sDfBHVm+XhfM8DoVrKYap9rwdW7qjGyuENwQHf/f4mMHPW KgV8CnF/XWddaAqBFjrBL01W/FBbrPok5+LFZhkwTrYvLg9QjI61TWjE+odUXjTFRUlG JxfEkrjQ9xcik3IuymmUvLdO9HEGoqODe4ghAvLqyFotQeLObqdoeoxNRA+Bzi+XDEiG iYRw== X-Received: by 10.152.9.2 with SMTP id v2mr49612laa.40.1382865934412; Sun, 27 Oct 2013 02:25:34 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.154.201 with HTTP; Sun, 27 Oct 2013 02:24:54 -0700 (PDT) In-Reply-To: <526CC37D.9020505@php.net> References: <3E.D7.40084.12BBA625@pb1.pair.com> <526B554F.1020606@pthreads.org> <526CAF56.70908@pthreads.org> <526CC37D.9020505@php.net> Date: Sun, 27 Oct 2013 18:24:54 +0900 X-Google-Sender-Auth: 2Hz6DOhLpqn0c1Zjel-A-tiiqjQ Message-ID: To: Joe Watkins Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0158b8eecaf17304e9b5906f Subject: Re: [PHP-DEV] error_log binary unsafe From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0158b8eecaf17304e9b5906f Content-Type: text/plain; charset=UTF-8 Hi Joe, On Sun, Oct 27, 2013 at 4:40 PM, Joe Watkins wrote: > On 10/27/2013 07:33 AM, Yasuo Ohgaki wrote: > >> On Sun, Oct 27, 2013 at 3:14 PM, Joe Watkins >> wrote: >> >> The patch implements binsafe log for cli and cgi, do we need to implement >>> any more ?? >>> >> >> >> It's better to check & fix all SAPIs :) >> >> Regards, >> >> -- >> Yasuo Ohgaki >> yohgaki@ohgaki.net >> >> Indeed ... > > But the original question I asked was for approval on the approach ... > > I guess I got that ?? > > I don't mind implementing other SAPI's at all, I was just wondering if the > approach is satisfactory ... I think approach is ok. We should leave receiver how the special characters are treated. Even if receiver has problem with null chars, the result is merely a 'truncated message' for most cases. However, I should mention that some database systems (e.g. Oracle) just ignore null char and it enables SQL injection detection bypass. (i.e. application firewall bypass) Some databases would not accept null char as valid text and refuse to store data. I would say this is not our issue, but it's a kind of BC issue. There may be many developers against your patch. I would suggest to create RFC before start working on other SAPIs. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0158b8eecaf17304e9b5906f--