Hi,
I was recently answering a question about null byte injection into PCRE and
the OP claimed that a pattern such as "~.+~e\x00u" would be accepted; they
were using 5.3.
The commit that fixed it was this:
https://github.com/php/php-src/commit/8b3c1a380a182655113b94b0b96551e98d05a8d3
The corresponding (private) bug is: https://bugs.php.net/bug.php?id=55856
My question is whether there's a defined "time out period" after which
those kind of sensitive bug reports are opened to the public; is it done
once we hit EOL for that branch?
--
Tjerk
On Tue, Feb 18, 2014 at 8:43 PM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
Hi,
I was recently answering a question about null byte injection into PCRE and
the OP claimed that a pattern such as "~.+~e\x00u" would be accepted; they
were using 5.3.The commit that fixed it was this:
https://github.com/php/php-src/commit/8b3c1a380a182655113b94b0b96551e98d05a8d3
The corresponding (private) bug is: https://bugs.php.net/bug.php?id=55856
My question is whether there's a defined "time out period" after which
those kind of sensitive bug reports are opened to the public; is it done
once we hit EOL for that branch?--
Tjerk
AFAIK it should be opened after we have a release with the fix announced,
as there is no point in having a reference to a private bug in the release
announcement/Changelog.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
On Tue, Feb 18, 2014 at 8:43 PM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
Hi,
I was recently answering a question about null byte injection into PCRE
and
the OP claimed that a pattern such as "~.+~e\x00u" would be accepted; they
were using 5.3.The commit that fixed it was this:
https://github.com/php/php-src/commit/8b3c1a380a182655113b94b0b96551e98d05a8d3
The corresponding (private) bug is: https://bugs.php.net/bug.php?id=55856
My question is whether there's a defined "time out period" after which
those kind of sensitive bug reports are opened to the public; is it done
once we hit EOL for that branch?--
Tjerk
AFAIK it should be opened after we have a release with the fix announced,
as there is no point in having a reference to a private bug in the release
announcement/Changelog.
Thanks. If that's indeed the case, could someone please open the bug
report? :)
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
--
Tjerk
On Thu, Feb 20, 2014 at 2:40 AM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
On Tue, Feb 18, 2014 at 8:43 PM, Tjerk Meesters <tjerk.meesters@gmail.com
wrote:
Hi,
I was recently answering a question about null byte injection into PCRE
and
the OP claimed that a pattern such as "~.+~e\x00u" would be accepted;
they
were using 5.3.The commit that fixed it was this:
https://github.com/php/php-src/commit/8b3c1a380a182655113b94b0b96551e98d05a8d3
The corresponding (private) bug is:
https://bugs.php.net/bug.php?id=55856My question is whether there's a defined "time out period" after which
those kind of sensitive bug reports are opened to the public; is it done
once we hit EOL for that branch?--
Tjerk
AFAIK it should be opened after we have a release with the fix announced,
as there is no point in having a reference to a private bug in the release
announcement/Changelog.Thanks. If that's indeed the case, could someone please open the bug
report? :)
I've opened it up, thanks for spotting it.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Ferenc Kovacs wrote:
On Tue, Feb 18, 2014 at 8:43 PM, Tjerk Meesters tjerk.meesters@gmail.com
wrote:The corresponding (private) bug is:
https://bugs.php.net/bug.php?id=55856I've opened it up, thanks for spotting it.
Shouldn't the status be set to "closed"?
--
Christoph M. Becker
On Tue, Feb 18, 2014 at 8:43 PM, Tjerk Meesters <
tjerk.meesters@gmail.com>
wrote:The corresponding (private) bug is:
https://bugs.php.net/bug.php?id=55856I've opened it up, thanks for spotting it.
Shouldn't the status be set to "closed"?
Closed.
--
Yasuo Ohgaki
yohgaki@ohgaki.net