Bug 39952

Comment 1 Tim Yamin (RETIRED) 2004-01-31 07:05:27 UTC

Patch from CVS: http://chora.php.net/diff.php/php-src/sapi/apache2handler/sapi_apache2.c?login=2&r1=1.1.2.25&r2=1.1.2.26&ty=u

Comment 2 Tim Yamin (RETIRED) 2004-01-31 07:24:19 UTC

I forgot to add that we also have http://chora.php.net/diff.php/php-src/sapi/apache/mod_php5.c?login=2&r1=1.7&r2=1.8&ty=u for Apache 1.x.

Comment 3 Stuart Herbert (RETIRED) 2004-01-31 13:36:54 UTC

Yuk.  Working on new ebuilds now.

Stu

Comment 4 Tim Yamin (RETIRED) 2004-01-31 13:54:05 UTC

GLSA: http://dev.gentoo.org/~plasmaroo/glsa-test/frame-view.php?id=f965592d37edc1c43fa7152d3ed60d87

Comment 5 Stuart Herbert (RETIRED) 2004-01-31 14:41:56 UTC

Okay, a patch for apache1 and apache2 has been committed.  mod_php-4.3.4-r3 has been marked as ~arch until robbat2 has had a chance to look at it.

I'm happy with this on apache2.  Someone needs to test this on apache1.  I don't have a machine I can downgrade to apache1 for testing this.

Stu

Comment 6 Stuart Herbert (RETIRED) 2004-01-31 15:02:08 UTC

Of course, it helps if I patch *all* the occurances of this problem that plasmaroo found ... ;-)

New patch committed to CVS.

Comment 7 solar (RETIRED) 2004-01-31 15:05:20 UTC

Do we set register globals on or off by default?

Comment 8 Tim Yamin (RETIRED) 2004-01-31 15:08:17 UTC

Thanks Stuart - now over to the Ned-or-Rajiv-or-Somebody-please-approve-this-GLSA department.

Comment 9 Tim Yamin (RETIRED) 2004-01-31 15:09:57 UTC

23:09 <@Stuart> plasmaroo: it should ship with 'register globals' set to off

Comment 10 solar (RETIRED) 2004-01-31 18:29:57 UTC

plasmaroo,
Can you please note in the Impact of the GLSA that Gentoo ships/builds php with register globals off.

Comment 11 Robin Johnson 2004-01-31 23:55:13 UTC

stuart: all looks ok, go ahead and move it to x86.

Comment 12 Tim Yamin (RETIRED) 2004-02-08 03:03:05 UTC

GLSA 200402-01 was sent out, so this can be closed.