I have the new php.ini scanner/parser cooking up (99% done)
and some new features in the ini file handling in general (1% done).

So we need to get 5.2.4 out the door and close PHP_5_2 (only security
fixes!). Then start PHP_5_3. Right? :)

--Jani

Hello Ilia,

i'd suggest so. From my perspective 5.2 is pretty stable, tested and
secure now. But more and more people want more and more stuff into 5.*.
So i think we should change into a strict RM approval equired security
fixes only mode for 5.2 and start on 5.3. Also i think we should give
that at least three month for adding new stuff. Major things i'd like
to see would be namespaces and adding pecl packages icu (or whatever
the name is) plus phar. Well we have the todo on lukas' site.

marcus

Thursday, August 2, 2007, 2:15:13 PM, you wrote:

Marcus,

Well, do you propose we leave the issue be until 5.3?

Hello Ilia,

as much as i agree with ading the stage it is a BC issue!

Thursday, August 2, 2007, 3:26:00 AM, you wrote:

Stas,

It looks like the best solution in this case. I don't like the idea
of introducing another INI stage in minor release, but I can't think
of a better way to address this issue at this time and I cannot
imagine it breaking much stuff.

Hi!

The attached patch implements the following improvement in Apache
module configuration handling:

New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values
set in .htaccess are passed to handlers with
ZEND_INI_STAGE_HTACCESS instead of ZEND_INI_STAGE_ACTIVATE.

The reason for this is that there are values - one of them being
session.save_handler - that we want to allow administrator to set
to arbitrary values, even not inside open_basedir/safe_mode
restrictions, while we do want user-set values to be inside limits.
The problem was that right now there's no way to see if the value
is set from httpd.conf (admin) or from .htaccess (frequently user-
accessible and user-writable). This patch enables to make such
distinction.
I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE but if
there would be they can easily be fixed to work with
ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2 SAPI
only, but same one would be needed for apache1 API.

This patch will allow proper fix for CVE-2007-3378 (current one
breaks BC).

Comments/objections?

Stanislav Malyshev, Zend Software Architect
stas@zend.com http://www.zend.com/
(408)253-8829 MSN: stas@zend.com
Index: Zend/zend_ini.h

RCS file: /repository/ZendEngine2/zend_ini.h,v
retrieving revision 1.34.2.1.2.3
diff -u -r1.34.2.1.2.3 zend_ini.h
--- Zend/zend_ini.h 1 Jan 2007 09:35:46 -0000 1.34.2.1.2.3
+++ Zend/zend_ini.h 2 Aug 2007 00:40:52 -0000
@@ -189,6 +189,7 @@
#define ZEND_INI_STAGE_ACTIVATE (1<<2)
#define ZEND_INI_STAGE_DEACTIVATE (1<<3)
#define ZEND_INI_STAGE_RUNTIME (1<<4)
+#define ZEND_INI_STAGE_HTACCESS (1<<5)

/* INI parsing engine */
typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int
callback_type, void *arg);
Index: sapi/apache2handler/apache_config.c

RCS file: /repository/php-src/sapi/apache2handler/apache_config.c,v
retrieving revision 1.7.2.1.2.2
diff -u -r1.7.2.1.2.2 apache_config.c
--- sapi/apache2handler/apache_config.c 1 Jan 2007 09:36:12
-0000
1.7.2.1.2.2
+++ sapi/apache2handler/apache_config.c 2 Aug 2007 00:40:52
-0000
@@ -51,6 +51,7 @@
char *value;
size_t value_len;
char status;

• char htaccess;
  } php_dir_entry;

static const char *real_value_hnd(cmd_parms *cmd, void *dummy,
const char *name, const char *value, int status)
@@ -67,7 +68,8 @@
e.value = apr_pstrdup(cmd->pool, value);
e.value_len = strlen(value);
e.status = status;

• e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF)) == 0);
  

• zend_hash_update(&d->config, (char *) name, strlen(name) +  
  

1, &e,
sizeof(e), NULL);
return NULL;
}
@@ -170,7 +172,7 @@
zend_hash_move_forward(&d->config)) {
zend_hash_get_current_data(&d->config, (void **)
&data);
phpapdebug((stderr, "APPLYING (%s)(%s)\n", str,
data->value));

•         if (zend_alter_ini_entry(str, str_len, data->value,  
  

data-

value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) {

•         if (zend_alter_ini_entry(str, str_len, data->value,  
  

data-

value_len, data->status, data->htaccess?
ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) {
phpapdebug((stderr, "..FAILED\n"));
}
}

--

Ilia Alshanetsky

Best regards,
Marcus

Ilia Alshanetsky

Best regards,
Marcus

Marcus,

I've already said a several times that post 5.2.4 work on 5.3 will
begin. This patch however IS a security fix, so the option is to
ignore the bug or fix it, I am for fixing it rather the delaying the
fix until 5.3 is released.

Hello Ilia,

i'd suggest so. From my perspective 5.2 is pretty stable, tested and
secure now. But more and more people want more and more stuff into
5.*.
So i think we should change into a strict RM approval equired security
fixes only mode for 5.2 and start on 5.3. Also i think we should give
that at least three month for adding new stuff. Major things i'd like
to see would be namespaces and adding pecl packages icu (or whatever
the name is) plus phar. Well we have the todo on lukas' site.

marcus

Thursday, August 2, 2007, 2:15:13 PM, you wrote:

Marcus,

Well, do you propose we leave the issue be until 5.3?

Hello Ilia,

as much as i agree with ading the stage it is a BC issue!

Thursday, August 2, 2007, 3:26:00 AM, you wrote:

Stas,

It looks like the best solution in this case. I don't like the idea
of introducing another INI stage in minor release, but I can't
think
of a better way to address this issue at this time and I cannot
imagine it breaking much stuff.

Hi!

The attached patch implements the following improvement in Apache
module configuration handling:

New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values
set in .htaccess are passed to handlers with
ZEND_INI_STAGE_HTACCESS instead of ZEND_INI_STAGE_ACTIVATE.

The reason for this is that there are values - one of them being
session.save_handler - that we want to allow administrator to set
to arbitrary values, even not inside open_basedir/safe_mode
restrictions, while we do want user-set values to be inside
limits.
The problem was that right now there's no way to see if the value
is set from httpd.conf (admin) or from .htaccess (frequently user-
accessible and user-writable). This patch enables to make such
distinction.
I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE
but if
there would be they can easily be fixed to work with
ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2
SAPI
only, but same one would be needed for apache1 API.

This patch will allow proper fix for CVE-2007-3378 (current one
breaks BC).

Comments/objections?

Stanislav Malyshev, Zend Software Architect
stas@zend.com http://www.zend.com/
(408)253-8829 MSN: stas@zend.com
Index: Zend/zend_ini.h

=
RCS file: /repository/ZendEngine2/zend_ini.h,v
retrieving revision 1.34.2.1.2.3
diff -u -r1.34.2.1.2.3 zend_ini.h
--- Zend/zend_ini.h 1 Jan 2007 09:35:46 -0000 1.34.2.1.2.3
+++ Zend/zend_ini.h 2 Aug 2007 00:40:52 -0000
@@ -189,6 +189,7 @@
#define ZEND_INI_STAGE_ACTIVATE (1<<2)
#define ZEND_INI_STAGE_DEACTIVATE (1<<3)
#define ZEND_INI_STAGE_RUNTIME (1<<4)
+#define ZEND_INI_STAGE_HTACCESS (1<<5)

/* INI parsing engine */
typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int
callback_type, void *arg);
Index: sapi/apache2handler/apache_config.c

=
RCS file: /repository/php-src/sapi/apache2handler/
apache_config.c,v
retrieving revision 1.7.2.1.2.2
diff -u -r1.7.2.1.2.2 apache_config.c
--- sapi/apache2handler/apache_config.c 1 Jan 2007 09:36:12
-0000
1.7.2.1.2.2
+++ sapi/apache2handler/apache_config.c 2 Aug 2007 00:40:52
-0000
@@ -51,6 +51,7 @@
char *value;
size_t value_len;
char status;

• char htaccess;
  } php_dir_entry;

static const char *real_value_hnd(cmd_parms *cmd, void *dummy,
const char *name, const char *value, int status)
@@ -67,7 +68,8 @@
e.value = apr_pstrdup(cmd->pool, value);
e.value_len = strlen(value);
e.status = status;

• e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF))  
  

== 0);

• zend_hash_update(&d->config, (char *) name, strlen(name) +
  

1, &e,
sizeof(e), NULL);
return NULL;
}
@@ -170,7 +172,7 @@
zend_hash_move_forward(&d->config)) {
zend_hash_get_current_data(&d->config, (void **)
&data);
phpapdebug((stderr, "APPLYING (%s)(%s)\n", str,
data->value));

•         if (zend_alter_ini_entry(str, str_len, data->value,
  

data-

value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) {

•         if (zend_alter_ini_entry(str, str_len, data->value,
  

data-

value_len, data->status, data->htaccess?
ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) {
phpapdebug((stderr, "..FAILED\n"));
}
}

--

Ilia Alshanetsky

Best regards,
Marcus

Ilia Alshanetsky

Best regards,
Marcus

Ilia Alshanetsky