Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71279 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63174 invoked from network); 19 Jan 2014 21:50:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jan 2014 21:50:56 -0000 Authentication-Results: pb1.pair.com smtp.mail=willfitch@php.net; spf=unknown; sender-id=unknown Authentication-Results: pb1.pair.com header.from=willfitch@php.net; sender-id=unknown Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 66.111.4.25 as permitted sender) X-PHP-List-Original-Sender: willfitch@php.net X-Host-Fingerprint: 66.111.4.25 out1-smtp.messagingengine.com Received: from [66.111.4.25] ([66.111.4.25:53288] helo=out1-smtp.messagingengine.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3B/B0-61840-FB84CD25 for ; Sun, 19 Jan 2014 16:50:55 -0500 Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 875B720BC1; Sun, 19 Jan 2014 16:50:52 -0500 (EST) Received: from web6 ([10.202.2.216]) by compute6.internal (MEProxy); Sun, 19 Jan 2014 16:50:52 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=dPu/zsZrxTX3HLfknWWUEAk03hE=; b=LpW WzX4gyM7qfGNkPaB7eTeckoapZPtCM/7VP2elhBNkvHvLNnUUVeLwBsl04l7G+rN N4SweR6JubGyqS283rinAowH0LsPRCz86oPnUKiIQ6y3aZK1VlhAJrtr6ofDz/KB A+NsvTE/x9Ec+F4mZkUWVTTi1q0AbrYcGFciAFik= Received: by web6.nyi.mail.srv.osa (Postfix, from userid 99) id 5C35B28D564; Sun, 19 Jan 2014 16:50:52 -0500 (EST) Message-ID: <1390168252.12466.72764421.0FBAC6E1@webmail.messagingengine.com> X-Sasl-Enc: q21ZkObJ27DfarG+plS8KYVIertMVQyeZDfRay+wMxrw 1390168252 To: Lester Caine , PHP internals MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e8d433be In-Reply-To: <52DC3CB4.5090503@lsces.co.uk> References: <1390082096.14862.72482025.5D36E64F@webmail.messagingengine.com> <52DB2E4D.8000009@sugarcrm.com> <1390096353.18659.72527933.474C16A5@webmail.messagingengine.com> <52DB310A.9040506@sugarcrm.com> <1390099947.26938.72538325.1FDD1F20@webmail.messagingengine.com> <52DBA5B2.20304@lsces.co.uk> <1390154806.5657.72705681.06A9F994@webmail.messagingengine.com> <52DC3CB4.5090503@lsces.co.uk> Date: Sun, 19 Jan 2014 13:50:52 -0800 Subject: Re: [PHP-DEV] Bug 62479 From: willfitch@php.net (Will Fitch) On Sun, Jan 19, 2014, at 12:59 PM, Lester Caine wrote: > Will Fitch wrote: > > On Sun, Jan 19, 2014, at 02:15 AM, Lester Caine wrote: > >> >Will Fitch wrote: > >>> > >Then again, I didn't expect to have > >>> > >a bug where single quotes are part of the password, so there's always a > >>> > >surprise. > >> > > >> >Leaving holes that can possibly be used by hackers is the problem here. > >> >IF > >> >someone finds an edge case that does not get handled their next step is > >> >to see > >> >if it can be exploited? Code review is not a matter of 'surprise' but > >> >rather > >> >'what have I missed that could be a problem'? > > I agree. However, this is more of a situation of not accounting for all > > situations as opposed to introducing a security flaw. As I told Stas, > > I'm going to update to account for beginning/ending quotes. > > Many of the edge cases that get missed are quite benign but some of them > can be > a surprise. It is perhaps a little surprising how some holes can be > exploited, > even when we thought they were safe :( Well said. :) > > -- > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=contact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >