Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72803 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 43493 invoked from network); 25 Feb 2014 05:07:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Feb 2014 05:07:48 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com Received: from [209.85.217.169] ([209.85.217.169:36059] helo=mail-lb0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B8/11-34115-1252C035 for ; Tue, 25 Feb 2014 00:07:46 -0500 Received: by mail-lb0-f169.google.com with SMTP id q8so2922877lbi.14 for ; Mon, 24 Feb 2014 21:07:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=zf+rbW411d5YTRWzjIgvjQUCTSrgtQWb//znn84AfqQ=; b=DJmcbSYNvS/8oyaEexRtNb7N7e2L6738XLifF7kg04HnMZAvY2Qv8acTieLlB8SqLg ToaF6w+yhN0QW2GMiKqKW5ZpMuRr/29vk/M9wwfCEnS6oJJQ+P5axLqGi+uskCaJBfOR uPFKheYrvaOVz5gWyUIT5soJ3AEjYE81U/3N+eAiGU+GpSWO3ZV0kFf8CPji1lDhrLvY bs5fXv50btpaZeHLhClkMDeGpa+Un8nrriPmENOz3ByxAeCX+N1yk6scKP0tdGgqrnZl RTrWxyUmNHv9Lhyfsaa6lb2tLRBKk0z7M3IguAqVyyPHIH1hadTSqvb5WXMMOQcQsEtT UEvQ== X-Received: by 10.152.1.3 with SMTP id 3mr40038lai.58.1393304862293; Mon, 24 Feb 2014 21:07:42 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Mon, 24 Feb 2014 21:07:02 -0800 (PST) In-Reply-To: References: Date: Tue, 25 Feb 2014 14:07:02 +0900 X-Google-Sender-Auth: HFW6pC2mxSlSfktdhF0CNRfsDts Message-ID: To: Nikita Popov Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e013c6ae461833204f3341136 Subject: Re: [PHP-DEV] Resolution for ver_export()/addslashes() encoding based script execution attack? From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e013c6ae461833204f3341136 Content-Type: text/plain; charset=UTF-8 Hi Nikita, On Mon, Feb 24, 2014 at 8:07 PM, Nikita Popov wrote: > On Mon, Feb 24, 2014 at 10:41 AM, Yasuo Ohgaki wrote: > >> Hi all, >> >> Since this RFC is declined, >> >> https://wiki.php.net/rfc/multibyte_char_handling >> >> We need another short term resolution for it at least. >> Any suggestions? >> > > Quoting from another thread: > > > I'd like to start off by saying that I disagree with your premise that > this is a security vulnerability that needs to be fixed quickly and across > all supported versions. As far as I can see the issue is somebody using > addslashes() in an inappropriate context - this is a vulnerability in the > application, not PHP. This is a lot like saying that we have an RCE > vulnerability in eval() because someone had the genius idea of putting > eval($_GET['str']) in his or her code. > > There is no vulnerability here as far as PHP is concerned. As such there > is no need for a short term resolution. > This kind of bugs are considered as vulnerability. There are number of them. Examples are encoding based JavaScript/SQL injections. I'm not sure what do you mean by "not a vulnerability". > using addslashes() in an inappropriate context - this is a vulnerability in the application, not PHP. This is incorrect. PHP supports SJIS and others even in engine. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e013c6ae461833204f3341136--