Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98879 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57121 invoked from network); 25 Apr 2017 17:15:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Apr 2017 17:15:23 -0000 Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.128.170 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 209.85.128.170 mail-wr0-f170.google.com Received: from [209.85.128.170] ([209.85.128.170:33113] helo=mail-wr0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B4/8C-36901-A248FF85 for ; Tue, 25 Apr 2017 13:15:22 -0400 Received: by mail-wr0-f170.google.com with SMTP id w50so89311402wrc.0 for ; Tue, 25 Apr 2017 10:15:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=golemon-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=sWdcewux5ZRjVloLVNT0Cu2D6LZwuetN4RTNhebFHEI=; b=gSsyXwkx8u1x+xtmWmp29LexS2SD9Tp8OemfoUK8NnkDl0sN5OKwAaAj4mXBamW88v EApT48UQOGzxqFENyXXt/Zjmi4ZPj1jTYuTCu/ZtxwVO+wyYRiyqwWuNKW9PGYBqeTem 9JkhqdHcxCy9c1roJvW7s1skSdPffbAUojrZzerobSUXSOdcUx1RnH23ezyDK52uTlEy HAWyh24kSohB6ksT5xW8WDdc/LmP5MUGxKJlCKEXQB3cOuE5GJjtTTGXTDxLfP2NkTR2 kA1x+YX24/sNgsC6JPOn7SMPpoI4PZdFtA37IY4ssnJzDPndV2hW8ToJWJio9RdVtsf/ 9Yuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=sWdcewux5ZRjVloLVNT0Cu2D6LZwuetN4RTNhebFHEI=; b=n+UFwoNIwTjMNsbcB3sB9rjN+VxVzWtAxg1/17Bc9/XU+rKxhIYo1ARQ0IGZjw5b5A jLrizOLiPxfOExHRzp1lRoYhFvot7vhDkEwGS3t+gKkcaK5/pu2l0/b22kPGJY+i9S9R FeA4FAhqMD1Wx7VfjlDc5EpTuoP7tJlN5wC/+aDcjp9hPK8v/kKZ7QbNvDJHXdgSAIgq Vt6eExu7nKRDqc2xqZR3SwGCFZVWHsawBMKnnOgJwgwLEkMZ2lUJjz09HsRScoRVgJ0Z IGbPC7EDLTQusZmQzgmStOhv9iEdtii0JVdtHI1ubcO2Hyib7wtDC1mUmOyI+yP+S7BL H39g== X-Gm-Message-State: AN3rC/6y8168GRC7XXNdaWw5M2N5/UlwOFi5gKIbvISA7RBckHqWjXAh 6Fr7TuE6rir9xlfWJOTfeXj1sQwCDQ== X-Received: by 10.223.166.226 with SMTP id t89mr7331695wrc.72.1493140519277; Tue, 25 Apr 2017 10:15:19 -0700 (PDT) MIME-Version: 1.0 Sender: php@golemon.com Received: by 10.223.157.12 with HTTP; Tue, 25 Apr 2017 10:15:18 -0700 (PDT) X-Originating-IP: [50.197.186.161] In-Reply-To: References: Date: Tue, 25 Apr 2017 10:15:18 -0700 X-Google-Sender-Auth: taTdY-XegnQsoAwqj0KVZ35rdME Message-ID: To: Anatol Belski Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] On malformed transport strings From: pollita@php.net (Sara Golemon) On Tue, Apr 25, 2017 at 5:15 AM, Anatol Belski wrote: > I've applied the patch you've suggested in bug #74429, so it's going to be included in RCs. Given the initial security issue is not impacted, BC can be kept. > I thought about the security implications of that quick fix and while it doesn't impact the specifics of the bug that led to the tightening, a very slightly modified version would still work, e.g.: $userSuppliedAddress = '1.2.3.4:8000/' $fp = fsockopen($userSuppliedAddress, 80); // Will connect to port 8000, not the hard-coded 80. So I'm not actually keen on that as a "fix" as it still leaves the vulnerability of overloading address *and* causes things like mysqli_connect() to break when provided with a port in the address. Double-whammy bad. -Sara