Christian Stadler wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Mitchell wrote:
As a user, I wanted to throw my two cents in. Our security administrator
_is_ considering this particular fix to be critical, and has made it a
required patch. While it's true that this particular fix is protecting
against poorly written PHP scripts, it also appears to be the case that
such poorly written software is fairly common and is being actively
targeted. I also think that with this patch in PHP itself, there will be
a lot less pressure for any of the packages which employ unsafe variable
handling to actually get fixed. I know that I personally don't have a
lot of say on the matter, but it would be nice if the patched version
was released sooner. Thanks for your time.
You can always turn off register_globals in you php.ini.
register_globals = Off is a recommended setting anyway.
I do have it off. But there is code which basically re-implements
register_globals. The patch actually checks to ensure that you don't try
to re-define the global variable named "GLOBAL". I'm not worried about
my own code, since I do my best to practice safe variable handling.
Apparently some authors took a short cut and have re-implemented
register_globals using code like this:
foreach ($_REQUEST as $key => $value) $$key = $value;
Is that a dangerous thing to do? Sure. But that doesn't mean it's not
being done. As I said, it seems to be common enough that the patch to
prevent it being dangerous has gone from being in Hardened-PHP to
mainline PHP to having a CVE to being a mandatory patch in my
organization. That's a lot of people who seem to think it's a serious
issue. And as I said, if the upstream PHP is patched to prevent the
above code from being dangerous then there is no incentive for anybody
to fix the scripts which do have unsafe variable handling code in them.
I think an argument can be made that Sarge needs to either have the
patch in question applied or it needs to have all the PHP-dependent
packages checked to make sure they aren't doing unsafe things with
request variables. The latter is not realistically going to happen
because the PHP developers seem to have decided that the former is the
proper fix.
Personally, I don't have a big stake in the final outcome of this. I
don't have much PHP code on my systems, and what I do have is in-house
stuff which was written with safe variable handling in mind. That said,
I don't want to have to go to my security administrator and explain why
my distro of choice needs to have an exception to our patching policy
made for it.
-David Mitchell
Regards,
Christian Stadler
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFDkIcC9250Hcbf/3IRArrOAJwMks6Iifcri/wNEkgEsGmt5jt4dwCcDqm2
epwlnPWFlDF6MiTfeTd1SFM=
=nGgv
-----END PGP SIGNATURE-----
--
-----------------------------------------------------------------
| David Mitchell ([EMAIL PROTECTED]) Network Engineer IV |
| Tel: (303) 497-1845 National Center for |
| FAX: (303) 497-1818 Atmospheric Research |
-----------------------------------------------------------------
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
