Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71275 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41069 invoked from network); 19 Jan 2014 18:06:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jan 2014 18:06:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=willfitch@php.net; spf=unknown; sender-id=unknown Authentication-Results: pb1.pair.com header.from=willfitch@php.net; sender-id=unknown Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 66.111.4.25 as permitted sender) X-PHP-List-Original-Sender: willfitch@php.net X-Host-Fingerprint: 66.111.4.25 out1-smtp.messagingengine.com Received: from [66.111.4.25] ([66.111.4.25:48452] helo=out1-smtp.messagingengine.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 90/CC-61840-9341CD25 for ; Sun, 19 Jan 2014 13:06:49 -0500 Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id CEC8E20EC6; Sun, 19 Jan 2014 13:06:46 -0500 (EST) Received: from web6 ([10.202.2.216]) by compute4.internal (MEProxy); Sun, 19 Jan 2014 13:06:46 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=6JVBvjeollGrx38JVDg6VIVXAp0=; b=XA/ zZLicg3u0nnO8VohnEb1EXbkAx/RTOM6JUf9/zfjDEHRIVe451+S7L0NyQXORg7A ri/wvgkcdfcfZdlx5ZA+qNQie9VKhja2tVclAtNBLlzlhjieOYSOAGl4ig461RWM HlmE0shpCaNt/Dhx4cIMgTkbWzEjVK8+OuPrkKsM= Received: by web6.nyi.mail.srv.osa (Postfix, from userid 99) id AEC3C299A8D; Sun, 19 Jan 2014 13:06:46 -0500 (EST) Message-ID: <1390154806.5657.72705681.06A9F994@webmail.messagingengine.com> X-Sasl-Enc: DOU6xylNhNQhlLKfN+MTawottha9T5eENkik15OzQrj9 1390154806 To: Lester Caine , internals@lists.php.net MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e8d433be In-Reply-To: <52DBA5B2.20304@lsces.co.uk> References: <1390082096.14862.72482025.5D36E64F@webmail.messagingengine.com> <52DB2E4D.8000009@sugarcrm.com> <1390096353.18659.72527933.474C16A5@webmail.messagingengine.com> <52DB310A.9040506@sugarcrm.com> <1390099947.26938.72538325.1FDD1F20@webmail.messagingengine.com> <52DBA5B2.20304@lsces.co.uk> Date: Sun, 19 Jan 2014 10:06:46 -0800 Subject: Re: [PHP-DEV] Bug 62479 From: willfitch@php.net (Will Fitch) On Sun, Jan 19, 2014, at 02:15 AM, Lester Caine wrote: > Will Fitch wrote: > > Then again, I didn't expect to have > > a bug where single quotes are part of the password, so there's always a > > surprise. > > Leaving holes that can possibly be used by hackers is the problem here. > IF > someone finds an edge case that does not get handled their next step is > to see > if it can be exploited? Code review is not a matter of 'surprise' but > rather > 'what have I missed that could be a problem'? I agree. However, this is more of a situation of not accounting for all situations as opposed to introducing a security flaw. As I told Stas, I'm going to update to account for beginning/ending quotes. > > -- > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=contact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >