Mechanical

Mothers, don't let your children grow up to be cowboy programmers.

This is a paste from rafb.net entitled "Differences between PHP 5.2.7 and 5.2.8" and this is a problem. Andy Lester diffed the tarballs for PHP 5.2.7 and 5.2.8 and posted the result on twitter. He also pointed out the whopping huge problem we have here.

diff -urN php-5.2.7/configure php-5.2.8/configure
--- php-5.2.7/configure	2008-12-03 10:07:36.000000000 -0600
+++ php-5.2.8/configure	2008-12-07 13:31:12.000000000 -0600
@@ -2429,7 +2429,7 @@
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=2
-PHP_RELEASE_VERSION=7
+PHP_RELEASE_VERSION=8
 PHP_EXTRA_VERSION=""
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
diff -urN php-5.2.7/configure.in php-5.2.8/configure.in
--- php-5.2.7/configure.in	2008-12-03 09:54:02.000000000 -0600
+++ php-5.2.8/configure.in	2008-12-07 13:23:25.000000000 -0600
@@ -1,4 +1,4 @@
-## $Id: configure.in,v 1.579.2.52.2.116 2008/12/03 15:54:02 iliaa Exp $ -*- autoconf -*-
+## $Id: configure.in,v 1.579.2.52.2.119 2008/12/07 19:23:25 iliaa Exp $ -*- autoconf -*-
 dnl ## Process this file with autoconf to produce a configure script.
 
 divert(1)
@@ -41,7 +41,7 @@
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=2
-PHP_RELEASE_VERSION=7
+PHP_RELEASE_VERSION=8
 PHP_EXTRA_VERSION=""
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
diff -urN php-5.2.7/ext/filter/filter.c php-5.2.8/ext/filter/filter.c
--- php-5.2.7/ext/filter/filter.c	2008-11-02 16:04:40.000000000 -0600
+++ php-5.2.8/ext/filter/filter.c	2008-12-06 11:16:36.000000000 -0600
@@ -19,7 +19,7 @@
   +----------------------------------------------------------------------+
 */
 
-/* $Id: filter.c,v 1.52.2.43 2008/11/02 22:04:40 lbarnaud Exp $ */
+/* $Id: filter.c,v 1.52.2.44 2008/12/06 17:16:36 scottmac Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -275,7 +275,7 @@
 {
 	php_info_print_table_start();
 	php_info_print_table_row( 2, "Input Validation and Filtering", "enabled" );
-	php_info_print_table_row( 2, "Revision", "$Revision: 1.52.2.43 $");
+	php_info_print_table_row( 2, "Revision", "$Revision: 1.52.2.44 $");
 	php_info_print_table_end();
 
 	DISPLAY_INI_ENTRIES();
@@ -403,7 +403,7 @@
 		Z_STRLEN(new_var) = val_len;
 		Z_TYPE(new_var) = IS_STRING;
 
-		if (IF_G(default_filter) != FILTER_UNSAFE_RAW || IF_G(default_filter_flags) != 0) {
+		if (IF_G(default_filter) != FILTER_UNSAFE_RAW) {
 			zval *tmp_new_var = &new_var;
 			Z_STRVAL(new_var) = estrndup(*val, val_len);
 			INIT_PZVAL(tmp_new_var);
diff -urN php-5.2.7/main/php_version.h php-5.2.8/main/php_version.h
--- php-5.2.7/main/php_version.h	2008-12-03 09:54:03.000000000 -0600
+++ php-5.2.8/main/php_version.h	2008-12-07 13:23:26.000000000 -0600
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 2
-#define PHP_RELEASE_VERSION 7
+#define PHP_RELEASE_VERSION 8
 #define PHP_EXTRA_VERSION ""
-#define PHP_VERSION "5.2.7"
-#define PHP_VERSION_ID 50207
+#define PHP_VERSION "5.2.8"
+#define PHP_VERSION_ID 50208
diff -urN php-5.2.7/NEWS php-5.2.8/NEWS
--- php-5.2.7/NEWS	2008-12-03 09:54:02.000000000 -0600
+++ php-5.2.8/NEWS	2008-12-07 13:23:25.000000000 -0600
@@ -1,5 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+08 Dec 2008, PHP 5.2.8
+- Reverted bug fix #42718 that broke magic_quotes_gpc (Scott)
+
 04 Dec 2008, PHP 5.2.7
 - Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371) (Ilia)
 - Updated timezone database to version 2008.9. (Derick)

As explained in a blog entry about the PHP 5.3.7 release, there was a major regression in PHP where they broke a security fix with something called "magic_quotes_gpc". Basically, it's a deprecated feature in PHP, but it helps to prevent against something called SQL injection attacks. These attacks are trivial to execute and are very serious. PHP has long been notorious for security holes, but re-opening an old security hole was so serious that PHP pulled this release and released it with the change above.

Notice anything interesting about that diff? Anything missing, perhaps?

CAN WE HAVE SOME FRIGGIN' TESTS, PLEASE? You re-open an old, serious security hole in one of the most popular programming languages, a hole you re-opened because you evidently don't have tests for it in the first place, and now you close it but don't write any tests? Have you learned nothing? Aargh!

I have some code that I've put out there without complete test coverage, but I mark this code as "experimental" or "alpha". And it's certainly not something which is a core technology that underpins much of the Web.

You ever wish you could fire open-source programmers? The next time your crappy bulletin board software breaks, remember this post.

  • Current Mood: disappointed disappointed
  • Current Music: Icon of Coil | TB Memory
Or, you can be like the perl community who excels at tests and still fucking fails at doing anything new, innovative and working tech!
I am not at the tech level you are, but did you see the article in Wired about the guy who found the MASSIVE hole in DNS? They have it shored up, but are still trying to figure out how to fully fix it.
What are they thinking?

You have to make commercial software to be allowed to F! U! like that...
Here's the thing about tests and Cowboys. Remember that western where the town was being run by outlaw cowboys and then the marshals showed up? Remember how the outlaw cowboys decided to instantly change their ways and work for the betterment of the town-folk?

Yeah.

(so with your sentient though)