Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75663
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63415 invoked from network); 17 Jul 2014 10:12:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jul 2014 10:12:07 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.175 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.175 mail-lb0-f175.google.com  
Received: from [209.85.217.175] ([209.85.217.175:64877] helo=mail-lb0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3C/5A-09067-571A7C35 for <internals@lists.php.net>; Thu, 17 Jul 2014 06:12:06 -0400
Received: by mail-lb0-f175.google.com with SMTP id n15so1507791lbi.20
        for <internals@lists.php.net>; Thu, 17 Jul 2014 03:12:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to:content-type;
        bh=zPpTW16HszB2GPQ1hHVds8ZEpII6pkPdBW8GTrpyZkc=;
        b=ibS1h8sxcwRVMK8jvnoV9uuG5C3TMJcnQJwTkxVeZfJEA4RzRh+/dlxSdSRb7MVB37
         /pmqYZyxXXlAtZSvR2LcX3/T7lpvm2ezmv+y4bq/Q8oC/HFz7ffg+lNqtM9d/6GYPPSd
         NZl37ctFVUAWY0wQXfD/MM0MnSzhHHiW8vuc+bXFHfa4eEmI429+R995cf0ubVh6u3dB
         INEF4MlVvN2SGlb7F5U3APvkP7HpoY1JDhm/JiO+ogqACOGpWg+4rZTj8K53xCAy6ymj
         No/68WGmfk32negsdLofsT9xsQTP7FaHweFcH+y07Cc5weiRrcOeeJ5snAyPPIHIUJFq
         GqzA==
X-Received: by 10.112.199.40 with SMTP id jh8mr8946641lbc.79.1405591921996;
 Thu, 17 Jul 2014 03:12:01 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.128.202 with HTTP; Thu, 17 Jul 2014 03:11:21 -0700 (PDT)
Date: Thu, 17 Jul 2014 19:11:21 +0900
X-Google-Sender-Auth: dAeOF7GrocgWm1Vrq4PR0HPEyw8
Message-ID: <CAGa2bXb0dgFfEZecTMXAJAecj0OnD-n-Hk8ucAheDvyiWZ1Wgg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3457635bc9c04fe60dfa7
Subject: Fixing bug #66827
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3457635bc9c04fe60dfa7
Content-Type: text/plain; charset=UTF-8

Hi all,

https://github.com/php/php-src/pull/725

This is the fix for https://bugs.php.net/bug.php?id=66827
This kind of malformed data is an attack most likely, but
raising error is not an option.

Quick grep show no module nor core log error only.
i.e. There is no error logging only code. All of them raises
E_NOTICE/E_WARNING/etc.

I would like to record a log that could be an attack.
Since there is no code like this, I ask your opinions.

The patch tries to remove offensive cookie, but it's far from
perfect. In fact, removing all of offensive cookie in session
module is impossible. We may let E_NOTICE raise and try
the best it can. If it could remove offensive cookie, error is
recorded and user may use their app from next request.

Any comments?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3457635bc9c04fe60dfa7--