[php-maint] Re: php4 security issues, the complete works (vol 2)

[Moritz Muehlenhoff]

sean finney wrote:
> yes, i agree.  i'll make sure to have some notes in the next uploads
> of php4/php5 about this.  joey/moritz:  i imagine that i should get you
> guys to sign off on whatever that blurb says... how about:

Thanks.
 
> 	Because of the large number of security-related problems with 
> 	certain PHP configurations, the Debian security team does not
> 	provide security support for configurations known to be 
> 	inherently insecure.  Most specifically, the security team will
> 	not provide support for flaws in:
> 	- vulnerabilities involving register_globals being activated, 
> 	  unless specifically the vulnerability activates this setting 
> 	  when it was configured as deactivated.
> 	- vulnerabilities involving any kind of safe_mode or 
> 	  open_basedir violation, as these are security models flawed
> 	  by design and no longer have upstream support either.
> 	- any "works as expected" vulnerabilities, such as "user can 
> 	  cause php to crash by writing a malcious php script", unless
> 	  such vulnerabilities involve some kind of higher-level DoS or
> 	  privilege escalation that would not otherwise be available.
> 	- something else?  something more specific about input 
> 	  sanitizing problems?

That looks nice, but it should also be pointed out that it's not a 
question of a lack of resources, but of providing a sane solution;
PHP is not designed to bypass every possible flaw an incompetent web
developer could make. I guess you as a native speaker could formulate
that a little bit more positive :-)

I guess we should also point out that most of the issues above are adressed
the way PHP 6 will handle them (no more open_basedir, register_globals,
safe mode, etc.).

Cheers,
        Moritz