Re: [VOTE] Multbye char handling - Remove vulnerability related to multibyte short and long term

From: Date: Thu, 20 Feb 2014 10:43:31 +0000
Subject: Re: [VOTE] Multbye char handling - Remove vulnerability related to multibyte short and long term
References: 1  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hi all,

On Mon, Feb 10, 2014 at 12:56 PM, Yasuo Ohgaki <[email protected]> wrote:

>
> Short term: Multibyte Char Handling
> https://wiki.php.net/rfc/multibyte_char_handling
> Add functions required to resolve security issues. CVE-2014-1239
>

https://wiki.php.net/rfc/multibyte_char_handling#vote

Vote is declined 2 vs 10.


>
> Long term: Alternative implementation of mbstring using ICU
> https://wiki.php.net/rfc/altmbstring
> We need multibyte feature as default. However, current mbstring has
> license issues. Resolve license issues by alternative mbstring in the
> future. Introduce mbstring-ng as EXPERIMENTAL module for further
> development, testing, feedback from users.
>

Vote is declined 1 vs 10.

Thank you for voting all!

I do not care much about long term solution, but short term solution.

It seems there is a misunderstanding how vulnerabilities should be
evaluated by developers. If one is developer of a product, vulnerability
should be evaluated only by *consequence*, not the probability, number of
affected users, etc.

One should not evaluate his/her product's vulnerability as an user. If user
is not affected, any vulnerabilities are not important even if it is a
vulnerability that executes arbitrarily codes. This is a bug that may allow
attackers to execute their code. Consequence is fatal. I hope everyone
follow this vulnerability evaluation principle next time. I'm sure this is
good for us ;)

Regards,

--
Yasuo Ohgaki
[email protected]

Thread (11 messages)

« previous php.internals (#72701) next »