unread
Am 30.01.2015 20:09 schrieb "Leigh" leight@gmail.com:
Well, I guess in theory we should be limiting the size of input to
gethostbyname to 255 characters.
Yeah, but in theory the C library gethostbyname() should do the same...
There will be a lot of things that could be checked up-front instead of
relying on the C layer stuff to do its work. Do you want to pre-examine
pathnames regarding maximum path name lengths? Check the fopen mode
parameter for posixly valid content? There's a zillion ways libc might be
vulnerable. And any such up-front in PHP check might then be blessed with
exploitable bugs itself...
best regards
Patrick