httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: Fwd: cvs commit: httpd-test/perl-framework/t/htdocs/security CAN-2004-0958.php
Date Tue, 23 Nov 2004 21:27:14 GMT
On Tue, Nov 23, 2004 at 12:55:16PM -0600, William Rowe wrote:
> What I questioned was why we were doing the security validation 
> of PHP when it's outside the scope of httpd, or isn't due to some
> interaction with httpd.

This is true for most of the functional tests of PHP in t/php/ which
Covalent donated.  I don't necessarily disagree, but I do I find it
useful.  Possibly these tests could go in the PHP test suite as well,
I'm not sure.  If that's your itch...

> I also questioned shoving scary security/CAN-2004-xxxx.t failures
> at our users.  FIRST this should never have been in security/ -
> it should have been a php/ test.  Again, this is not our security
> incident within httpd.

I don't really care either way, smells like a freshly painted bikeshed
to me ;)

> Second, whenever we fail any CAN-2004-xxxx.t we must direct the
> user to some patch where they can remedy the situation.  I'm sort
> of laughing that I spent 4 hours yesterday researching two vulns
> that many other engineers had spent 4 hours researching.  The
> laughable thing - show me on www.php.net where they call out any
> patches for 4.3.x to these two incidents?

They don't, it was fixed silently, I mailed them about that but they
didn't seem inclined to do anything about it.  If you want to follow up
on that some more, great, but ranting about it here won't make much 
difference.

joe

Mime
View raw message