Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:98885
Return-Path: <php@golemon.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24409 invoked from network); 26 Apr 2017 15:34:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Apr 2017 15:34:50 -0000
Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail
Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail
Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 74.125.82.52 as permitted sender)
X-PHP-List-Original-Sender: php@golemon.com
X-Host-Fingerprint: 74.125.82.52 mail-wm0-f52.google.com  
Received: from [74.125.82.52] ([74.125.82.52:38807] helo=mail-wm0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D2/B2-24892-71EB0095 for <internals@lists.php.net>; Wed, 26 Apr 2017 11:34:49 -0400
Received: by mail-wm0-f52.google.com with SMTP id r190so8453327wme.1
        for <internals@lists.php.net>; Wed, 26 Apr 2017 08:34:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=golemon-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-transfer-encoding;
        bh=QRQH7knlUq2zseb/qQWAcGf+ZcXu9+yobIiEOe1pvek=;
        b=0VkYrzbBM1wmQPMqEuK4W7nW2R1w3Al5lXjTZD0evvZuhT26oXyEq9JXWGeqeFwaM1
         yrM1zv60HulpHlpordQlcZ8NL6PqRC6Snausr9oDhuazkprTvkT0QkDiFxiPZs9o7Eux
         wJzyC2qBIClZz98oFvPGw1lemVxaxRGLF8slOy/SC7XfmT21N1AllMIe/Xsi3+NqlCgK
         B6xL1fsiH24XSU1LRmUl/RanqTIE9oTR8V+/2ylFiFzpZJr6ePDwZT5w/z8kSpiaGxaR
         Zp4upa8YiN6iOUKY51PX2XUMKxE13nH5aeUtIQ5qasnNU1VwSFZ7UGZrXR0TtLqT4FHm
         I+1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-transfer-encoding;
        bh=QRQH7knlUq2zseb/qQWAcGf+ZcXu9+yobIiEOe1pvek=;
        b=JtCTJYQLTLENJ/RKGV37ygBTW++fJscC3q/oonZ1PB2MNKn7e2KN0i6jZ5yHt2lWdv
         5Ul3mHiZcGbalpt5KZ4syIEWEn1jD7lGhmIKF6IoYsP8bKEBw5TYcTQLfgN8T8clXmG0
         ydeJGm5qN8bJYLfwDj1qfXqhERdzTUvifd4iRKHj014hPY5ONPL+2tAyMQ4OrcZhBFeR
         wMHrKexVVE9hpvuqL+A6JSCiXuSJ0tPFoh135DzsosMH6v3aKWcsqk2FZ/bLEQHhkB0W
         rr7mEDQ9LywbxnYBXVYIeIogYfKHmqmhaVXJM/bhdf2NYaTG+VyiW7Nxtywh8MYtWll7
         ASrg==
X-Gm-Message-State: AN3rC/5yqqtN+AW35VcBO/Gjitir/SG3Pd0dTzQMP03pvY27nkGZOrPu
	xGMHGRFS/Xp3dYg81IcdVlUzKU6E0g==
X-Received: by 10.28.70.129 with SMTP id t123mr1440533wma.98.1493220885219;
 Wed, 26 Apr 2017 08:34:45 -0700 (PDT)
MIME-Version: 1.0
Sender: php@golemon.com
Received: by 10.223.157.38 with HTTP; Wed, 26 Apr 2017 08:34:44 -0700 (PDT)
X-Originating-IP: [73.9.224.155]
In-Reply-To: <HE1PR02MB1052240627526DA3B3488E8CBA110@HE1PR02MB1052.eurprd02.prod.outlook.com>
References: <CAESVnVpGoG45bBGfcYaDKb-A1k33VEwcK_GX5_TS6JHj0Dve1w@mail.gmail.com>
 <HE1PR02MB10520E2CB090D9991CAAF03CBA1D0@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <HE1PR02MB1052EF95B19C9FC41D4DFD72BA1E0@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CAESVnVqpFUMc0nq1Zt+r=gHApDJ_Jv7RU3n1MiUpe-wwQ-27pg@mail.gmail.com> <HE1PR02MB1052240627526DA3B3488E8CBA110@HE1PR02MB1052.eurprd02.prod.outlook.com>
Date: Wed, 26 Apr 2017 10:34:44 -0500
X-Google-Sender-Auth: pcXvrqin1tI0jZkWLWqGfL-rAgU
Message-ID: <CAESVnVqG_uoacRxK41RBEU7K-n_si_pB0Yu3j3W3YQXMwxpMfA@mail.gmail.com>
To: Anatol Belski <ab@php.net>
Cc: PHP internals <internals@lists.php.net>, Joe Watkins <krakjoe@php.net>, 
	Davey Shafik <davey@php.net>, Remi Collet <remi@php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] On malformed transport strings
From: pollita@php.net (Sara Golemon)

On Wed, Apr 26, 2017 at 6:20 AM, Anatol Belski <ab@php.net> wrote:
> Thanks for this additional check. My action was actually based on the com=
ment with the patch link, looks like the situation has now changed a bit. W=
e're still quite limited in choice in this case. For one, there's a low sec=
urity impact, however the fix uncovered several inconsistent places breachi=
ng apps. For what it matters, there are already 2-3 dups regarding mysqli a=
nd stream client regressions. Given they come so short in time, that's not =
a good sign. Though, the reports still came late enough, that an appropriat=
e fix could not be done  before the next RC.
>
The fact that there are dups tells me that, despite the fact that
bab0b99f3 made into 7.0.18/7.1.4 releases, we should fully revert the
hard error (leaving a soft warning behind).  The security implications
of the original fix are fairly minor* compared to the much larger
regression of actually breaking sites which otherwise worked before.

> In the end, after evaluating the situation, I would still suggest to keep=
 your follow up fix as a temporary solution in the next release. This way a=
t least one issue is fixed, the stream client, while the initial patch is a=
 bit slackened. A better fix can be worked out till the follow up release, =
also targeting the mysqli regression which still persists. This way, one re=
gression is fixed, the initial patch is weakened a bit but as the impact wa=
s low - it's something one can temporarily live with, and a good solution w=
ere to expect in the next possible future. An alternative were to revert th=
e hotfix in the final and keep the regressions.
>
Given that there *is* a release with bab0b99f3 in it, I suppose we're
already regressed and a little clowny looking.  7.0 is your branch, so
if you're cool with some uses still being slightly borky, then so am
I.  I'll do up some diffs for 7.0.20/7.1.6 to downgrade the hard
errors to warnings (keep it hard error for 7.2.0) and address issues
like the mysqli_connect implicit port duplication.

-Sara