Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69892
Return-Path: <krakjoe@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15274 invoked from network); 27 Oct 2013 09:56:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Oct 2013 09:56:54 -0000
X-Host-Fingerprint: 80.4.21.210 cpc22-asfd3-2-0-cust209.1-2.cable.virginm.net  
Received: from [80.4.21.210] ([80.4.21.210:4915] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8A/89-45431-563EC625 for <yohgaki@ohgaki.net>; Sun, 27 Oct 2013 04:56:53 -0500
To: internals@lists.php.net,Yasuo Ohgaki <yohgaki@ohgaki.net>
Message-ID: <526CE2A2.9050408@php.net>
Date: Sun, 27 Oct 2013 09:53:38 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7
MIME-Version: 1.0
References: <3E.D7.40084.12BBA625@pb1.pair.com> <CAGa2bXYANkW6yDN2_UqncHWpM4Zv+DxMTX0W8kT5-83JAveZjw@mail.gmail.com> <526B554F.1020606@pthreads.org> <CAGa2bXaQ1pdObaN=1vva0QOaJPyZvr381T6riKcNYput51NawA@mail.gmail.com> <CAGa2bXba-kr8deWYVTNywTySz8Abg-YR1YO1WM_BxjZj30+jOQ@mail.gmail.com> <526CAF56.70908@pthreads.org> <CAGa2bXaoV3-UNOeKhCOfMY6ZCUArcir-9wjcRTUDuo3tP+n=wQ@mail.gmail.com> <526CC37D.9020505@php.net> <CAGa2bXbxy5OHDudDT4cq4=gKTdS7p7sJ5Q4w9-UkR-fyDN1C-g@mail.gmail.com>
In-Reply-To: <CAGa2bXbxy5OHDudDT4cq4=gKTdS7p7sJ5Q4w9-UkR-fyDN1C-g@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 80.4.21.210
Subject: Re: [PHP-DEV] error_log binary unsafe
From: krakjoe@php.net (Joe Watkins)

On 10/27/2013 09:24 AM, Yasuo Ohgaki wrote:
> Hi Joe,
>
> On Sun, Oct 27, 2013 at 4:40 PM, Joe Watkins <krakjoe@php.net> wrote:
>
>> On 10/27/2013 07:33 AM, Yasuo Ohgaki wrote:
>>
>>> On Sun, Oct 27, 2013 at 3:14 PM, Joe Watkins <pthreads@pthreads.org>
>>> wrote:
>>>
>>>   The patch implements binsafe log for cli and cgi, do we need to implement
>>>> any more ??
>>>>
>>>
>>>
>>> It's better to check & fix all SAPIs :)
>>>
>>> Regards,
>>>
>>> --
>>> Yasuo Ohgaki
>>> yohgaki@ohgaki.net
>>>
>>>   Indeed ...
>>
>> But the original question I asked was for approval on the approach ...
>>
>> I guess I got that ??
>>
>> I don't mind implementing other SAPI's at all, I was just wondering if the
>> approach is satisfactory ...
>
>
> I think approach is ok.
>
> We should leave receiver how the special characters are treated. Even if
> receiver has problem with null chars, the result is merely a 'truncated
> message' for most cases.
>
> However, I should mention that some database systems (e.g. Oracle) just
> ignore null char and it enables SQL injection detection bypass. (i.e.
> application firewall bypass) Some databases would not accept null char as
> valid text and refuse to store data. I would say this is not our issue, but
> it's a kind of BC issue.
>
> There may be many developers against your patch. I would suggest to create
> RFC before start working on other SAPIs.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
I don't see that it needs an RFC for the SAPI to have a means of logging 
binary safe data.

The implementations of FPM and Apache2 are things that might require 
RFC, but I don't see that the basic CLI and CGI SAPI's do.

So it might be best to merge as it is, with cli and cgi implemented for 
reference, and then if someone wants to do the Apache2 and FPM 
implementations they can, along with an RFC for them.

Cheers
Joe