Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72847 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11122 invoked from network); 27 Feb 2014 22:22:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Feb 2014 22:22:52 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.173 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.173 mail-yk0-f173.google.com Received: from [209.85.160.173] ([209.85.160.173:46638] helo=mail-yk0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 09/52-33117-ABABF035 for ; Thu, 27 Feb 2014 17:22:51 -0500 Received: by mail-yk0-f173.google.com with SMTP id 10so8458782ykt.4 for ; Thu, 27 Feb 2014 14:22:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9JrVA2EMQuUngADiLsXNezhLeor25eTu19z8n13+4cI=; b=m4T3/SAHIPcAWlxY59izntknHSAsMut5qXi9M8NlOYdDGX5pxOAbI1Y2bK4c1n/BMV P+lJ134UctQBDdf/ZytjKwFFSD5diYm965Zu6kYek/eoYDYk5iek11lL3AZEjQG6qbDA dri9iYBVGUi1jyUnrXbXwgk/wMIagXQco9QNgrzZ2WfImzVsm7tVLzXHCDNo64ld3t92 anSxlPAluptYaEObr7bjPpIcXD4+aOCb3wgajcftlooAYp6xVWV0EuAPiGQAgmbjLapm tFowIwWtQT6T3+w6whUiWDYs+TvMuS0a14t0xwYkNjHhQn0FGEavucbjaHOrQazY23My zdmw== MIME-Version: 1.0 X-Received: by 10.236.100.235 with SMTP id z71mr18015172yhf.43.1393539767653; Thu, 27 Feb 2014 14:22:47 -0800 (PST) Received: by 10.170.160.69 with HTTP; Thu, 27 Feb 2014 14:22:47 -0800 (PST) In-Reply-To: References: <530C3C7B.8080907@sugarcrm.com> <530C77F8.2060809@sugarcrm.com> <1393328380.5233.45.camel@guybrush> <530DADC7.2070302@lsces.co.uk> <530DDEC6.9010901@lsces.co.uk> Date: Thu, 27 Feb 2014 22:22:47 +0000 Message-ID: To: Yasuo Ohgaki Cc: Lester Caine , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Resolution for ver_export()/addslashes() encoding based script execution attack? From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi, On 26 February 2014 22:28, Yasuo Ohgaki wrote: >> I don't see how the RFC addressed the problem anyway. > > Please research how databases were fixed this issue many years ago. I don= 't > remember well, but I guess it was around 2005. I have a vague recollection of issues, but since there's little specific detail on this (as it pertains to PHP) publicly it's impossible for most of us to assess what the problem may be. It's even stranger to see a secret security report being RFC'd publicly, with the attendant discussions on list, which appears to go against responsible disclosure if one can put two and two together in a Eureka moment. It just spreads a lot of doubt and confusion to no end. Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative