mailing list archives
Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8
From: Pierre Joye <pierre.php () gmail com>
Date: Sun, 25 Sep 2011 19:22:19 +0200
On Sun, Sep 25, 2011 at 6:38 PM, Rasmus Lerdorf <rasmus () php net> wrote:
are we talking about the tiny number of people who have explicitly
enabled allow_url_include and are running the code with this bad autoloader?
Yes, and that's why it is a very very minor problem. However it was
not happening before the code change. The few cases where the class
names&co have been sanitize before and the developer did not think
about cases like the one describe in the blog post. I think it is even
more rare combination, but it was not happening before our change.
@pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 25)
Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Josh Bressers (Sep 27)