Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90651
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98090 invoked from network); 15 Jan 2016 00:32:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Jan 2016 00:32:44 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.172 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.172 mail-yk0-f172.google.com  
Received: from [209.85.160.172] ([209.85.160.172:35658] helo=mail-yk0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DA/10-31661-B2E38965 for <internals@lists.php.net>; Thu, 14 Jan 2016 19:32:43 -0500
Received: by mail-yk0-f172.google.com with SMTP id x67so528099992ykd.2
        for <internals@lists.php.net>; Thu, 14 Jan 2016 16:32:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=2g9qsD9QCkvlgmXtrRlWm4bsZjTcggOV98AKnquyY7c=;
        b=fwwxv80kYbEwZAfBPkAAbaBXLbUHpnkpZVmgFgPNzhIn+KdILYnfzfQbTYVvRw7cro
         it6ZCXHcwl2/7fNbKVmMuGthTUUVcXVvFSKvAKU1rAVGTHyRbICqeKCi6O71A4p5T6Ip
         fqt1i2Jhivv6oovmHBRK4xc14k8z46ys7Y4V13wkRKDz5tRhjLSLkZ1OWR6ZIJkFWd75
         Dc23BmP+xSrZ+7BaHPKcCNIEPXbkWra0XWaNmrz5DlEEbe35whWRk8YRlXtQhoD9KTbk
         tEJYv9fewFpu3OVPm9KuMt0nxiN20DEK0q955z3jak2LEg3uGG1g1mFONSEIB32TSFC4
         ijjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type;
        bh=2g9qsD9QCkvlgmXtrRlWm4bsZjTcggOV98AKnquyY7c=;
        b=eUk5XMY8euDrCBX5tS7j2y5Z+VhIbtpT48Z/9SogSYyW7pnx4ofLeCnO3SgP8H5J3f
         poOsJo59u95S/Jl1cRlK8tud1tR5QnFdedPf/oOUmFhu/mlw5pFheBbHLyTfRJUdpDMW
         scDmRCeWqbvz4XSDCB+8usLrkZ/Zfdr5e+ZmFcGJJQMr7Y4QWw6Paw+E2DCsE8iwwAie
         z/tSHFD2WaVWqqvVkqM/KP7eSMJ704h+jxNG+ebWnUDhRhKSN8ElW3qYWvWEizhd3koW
         092gx+iLxuxLc3WozQ5WYcNItLs2k1abThSg63Qjioa1ddbpoXlcA5P2VsSLpcr4B6XI
         BJmQ==
X-Gm-Message-State: AG10YOQGV5oBU6PvM4WmeFGpLaJUACH9sj3ezktdT98vcwIggznc1ytFm2STP/abpEpsaZNHZqRM5ifw3ECLsw==
X-Received: by 10.129.73.80 with SMTP id w77mr3343826ywa.346.1452817960518;
 Thu, 14 Jan 2016 16:32:40 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.88.139 with HTTP; Thu, 14 Jan 2016 16:32:01 -0800 (PST)
In-Reply-To: <CAGa2bXZNjehZ3iY+Zi+Di1qR1a_kgizRZT2SugHWNPk+RNfe-w@mail.gmail.com>
References: <CAGa2bXZzvkBDkqLF2U3yPSprQwqBdHbW9QCZ-nzjA1G4CM8QkQ@mail.gmail.com>
 <56958637.5080807@gmail.com> <CAMUwpuRJmVsHCW9VsMTsSgDcAcc1WPjmCHDcwkboN92oL1Q5CQ@mail.gmail.com>
 <CAGa2bXbeNGeUYR0dYuXiaS6siPWTT7fvTHaG6Z8Ho5shw-Y3YQ@mail.gmail.com>
 <5697F7E0.8010803@gmail.com> <CAGa2bXZNjehZ3iY+Zi+Di1qR1a_kgizRZT2SugHWNPk+RNfe-w@mail.gmail.com>
Date: Fri, 15 Jan 2016 09:32:01 +0900
X-Google-Sender-Auth: aL6dLf81xtfGOubE62gBO-sJr0k
Message-ID: <CAGa2bXbk=xQUDvjJ1oyXLmjQNYy_fw_rEUpLGDSsjkOWE051zw@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Julien Pauli <jpauli@php.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Fixing bug #68063
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Julien,

On Fri, Jan 15, 2016 at 9:10 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>
> On Fri, Jan 15, 2016 at 4:32 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
>>
>>> However, previous my fix (Raise warning and return false) was wrong fix.
>>> Therefore, I would like to correct (Provide new session ID and continue)
>>> it in 5.5 also. Does this make sense?
>>
>> Yes, but nit sure if it's for 5.5. It's for Julian to decide,
>> ultimately, but it doesn't look like 5.5 has a security issue right now
>> with it? Or am I wrong?
>
> No. It does not have security bug, but has wrong fix for the security bug.

I'll commit the fix from PHP 5.6. If you think this should be included for
PHP 5.5, please cherry pick.  I prefer to have this in PHP 5.5, but it's
not mandatory.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net