Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72791
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68740 invoked from network); 24 Feb 2014 11:07:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2014 11:07:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.54 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.219.54 mail-oa0-f54.google.com  
Received: from [209.85.219.54] ([209.85.219.54:38795] helo=mail-oa0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B7/74-46513-CD72B035 for <internals@lists.php.net>; Mon, 24 Feb 2014 06:07:08 -0500
Received: by mail-oa0-f54.google.com with SMTP id m1so1063729oag.27
        for <internals@lists.php.net>; Mon, 24 Feb 2014 03:07:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=YfPN9Cr5RDfI8j022XyEeRxiXFvWOVVpLhIgEDCAkeI=;
        b=gNf24YMM4bMYWC6CO6A2D+lnV0l4DNa91cfxV9Krjpjy+bsT+iJsYAOtKPJs65Pza0
         a9Etne23RmGRfV08v7Q06AEs40toOdGxaqO50Mg9HIsfA+lRuBkOB4YcpFUH3QAAe+Gk
         YsZt8sMrUC0y6ukftaq7yqTdjpExAslKir6ofIE4B3a5uL8kEw7eHmFQ5bKMO5iLSKWU
         SpnPT01GA3rGcfPTEw7KtLFfkIQa6rVC3Ar52vRup/FZd9eabYtZlaoclewsRyo291ym
         s6BBpyxd6jSZL9EzVSknfqAiUzomN/NW5aiyls5va+feNe/eVxZP04ofEE32sMAnApP0
         xXrw==
MIME-Version: 1.0
X-Received: by 10.60.51.6 with SMTP id g6mr20870803oeo.5.1393240025454; Mon,
 24 Feb 2014 03:07:05 -0800 (PST)
Received: by 10.182.54.112 with HTTP; Mon, 24 Feb 2014 03:07:05 -0800 (PST)
In-Reply-To: <CAGa2bXYO=Q3pmYKYOt0qudFtzimrXitJoLcB4KZ80MYJ-nJo0A@mail.gmail.com>
References: <CAGa2bXYO=Q3pmYKYOt0qudFtzimrXitJoLcB4KZ80MYJ-nJo0A@mail.gmail.com>
Date: Mon, 24 Feb 2014 12:07:05 +0100
Message-ID: <CAF+90c9umjqfiW3780hPjk_LpbyV=fT2t=bXZxWhiSDN-yuiuA@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c306f0cddf4404f324f871
Subject: Re: [PHP-DEV] Resolution for ver_export()/addslashes() encoding based
 script execution attack?
From: nikita.ppv@gmail.com (Nikita Popov)

--001a11c306f0cddf4404f324f871
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Feb 24, 2014 at 10:41 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> Since this RFC is declined,
>
> https://wiki.php.net/rfc/multibyte_char_handling
>
> We need another short term resolution for it at least.
> Any suggestions?
>

Quoting from another thread:

> I'd like to start off by saying that I disagree with your premise that
this is a security vulnerability that needs to be fixed quickly and across
all supported versions. As far as I can see the issue is somebody using
addslashes() in an inappropriate context - this is a vulnerability in the
application, not PHP. This is a lot like saying that we have an RCE
vulnerability in eval() because someone had the genius idea of putting
eval($_GET['str']) in his or her code.

There is no vulnerability here as far as PHP is concerned. As such there is
no need for a short term resolution.

Nikita

--001a11c306f0cddf4404f324f871--