Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73763
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56623 invoked from network); 22 Apr 2014 08:48:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Apr 2014 08:48:25 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.99 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.99 smtp99.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.99] ([108.166.43.99:53244] helo=smtp99.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D0/31-45364-7DC26535 for <internals@lists.php.net>; Tue, 22 Apr 2014 04:48:24 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp5.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id CBAF41B0CA3;
	Tue, 22 Apr 2014 04:48:20 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp5.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 760FB1B07F1;
	Tue, 22 Apr 2014 04:48:20 -0400 (EDT)
Message-ID: <53562CD0.5070006@sugarcrm.com>
Date: Tue, 22 Apr 2014 01:48:16 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: PHP internals <internals@lists.php.net>
References: <CA+kxMuQsoLhGgfPs5QN7tG18+HwM=6x=8W2ijyZ-O0u3BVtOMQ@mail.gmail.com> <CA+kxMuR-6vyMXvfnAwVwcH9+vk8TQ3w5Tb0gtQu4gNeTPdSybA@mail.gmail.com> <CAGa2bXaPzozXZ5dNu53EjJL+aToUR34GEnBHSBGRSzb1NXJe8Q@mail.gmail.com> <CA+kxMuSTATXDe800m1GQWxQZ8AA3MwEG9bgD1MB6e6cYJ=1voA@mail.gmail.com> <CAGa2bXb-0Bo_6E_5cSv_HvVAepeoRtdUZCy00PpROFNktHnKSA@mail.gmail.com> <CA+kxMuTPs053F3dz=-4Tar9tUJzW8wqspt83ccEAnZjdU9NXkA@mail.gmail.com> <CAGa2bXZ+6cX4vaOaEcX799VLEvs5MCgBtc5Ffz9zMLM5S12GWQ@mail.gmail.com> <52FF3BB7.8030408@lsces.co.uk> <CAGa2bXZ9dEhZxd_E+O7ofKA2rt+Qy1gRaeBrvEas4Ea_PeGTcQ@mail.gmail.com> <52FF465E.4040400@lsces.co.uk> <CAGa2bXa3Fj_2DF9CcOJRatLkE2uRFfkU+mVZ-7hq0RyO9FRYtw@mail.gmail.com> <CAEKnhAELLpTh45E8aBw_=Zq4pgXcD9vMm7jxockCHkX4wzn58A@mail.gmail.com> <CAEKnhAE+SzfxZ0P61B51tB3jt9T78hs2s0x_3F51rFXjpyzmLg@mail.gmail.com> <5355A48D.7050600@sugarcrm.com> <CAGa2bXZBchBkaCye=1nx+SU+hdoZOt7_8+XhcM9u9Fu8ERdC8Q@mail.gmail.com>
In-Reply-To: <CAGa2bXZBchBkaCye=1nx+SU+hdoZOt7_8+XhcM9u9Fu8ERdC8Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] utf-8 filenames in phar files.
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> e.g. Old browsers had _many_ security issues with ill-formed strings. 
> One valid example I can think of right now is filter evasion.
> Another is DoS. Browsers may refuse to render page at all when there is
> ill-formed 
> strings. e.g. Recent Chrome. Yet another is injections. i.e If user
> assumes path name 
> encoding is UTF-8 and didn't escape, their program could be vulnerable
> to injections.

I'm sure these are serious issues, but I'm not sure - how do they relate
to the phar fix we're talking about?

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227