http://bugs.php.net/bug.php?id=25753 http://chora.php.net/cvs.php/php-src/sapi/apache2handler/sapi_apache2.c?login=2&onb=1.1.2
Patch from CVS: http://chora.php.net/diff.php/php-src/sapi/apache2handler/sapi_apache2.c?login=2&r1=1.1.2.25&r2=1.1.2.26&ty=u
I forgot to add that we also have http://chora.php.net/diff.php/php-src/sapi/apache/mod_php5.c?login=2&r1=1.7&r2=1.8&ty=u for Apache 1.x.
Yuk. Working on new ebuilds now. Stu
GLSA: http://dev.gentoo.org/~plasmaroo/glsa-test/frame-view.php?id=f965592d37edc1c43fa7152d3ed60d87
Okay, a patch for apache1 and apache2 has been committed. mod_php-4.3.4-r3 has been marked as ~arch until robbat2 has had a chance to look at it. I'm happy with this on apache2. Someone needs to test this on apache1. I don't have a machine I can downgrade to apache1 for testing this. Stu
Of course, it helps if I patch *all* the occurances of this problem that plasmaroo found ... ;-) New patch committed to CVS.
Do we set register globals on or off by default?
Thanks Stuart - now over to the Ned-or-Rajiv-or-Somebody-please-approve-this-GLSA department.
23:09 <@Stuart> plasmaroo: it should ship with 'register globals' set to off
plasmaroo, Can you please note in the Impact of the GLSA that Gentoo ships/builds php with register globals off.
stuart: all looks ok, go ahead and move it to x86.
GLSA 200402-01 was sent out, so this can be closed.