Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
On Mon, Feb 24, 2014 at 10:41 AM, Yasuo Ohgaki <[email protected]> wrote:
> Hi all,
>
> Since this RFC is declined,
>
> https://wiki.php.net/rfc/multibyte_char_handling
>
> We need another short term resolution for it at least.
> Any suggestions?
>
Quoting from another thread:
> I'd like to start off by saying that I disagree with your premise that
this is a security vulnerability that needs to be fixed quickly and across
all supported versions. As far as I can see the issue is somebody using
addslashes() in an inappropriate context - this is a vulnerability in the
application, not PHP. This is a lot like saying that we have an RCE
vulnerability in eval() because someone had the genius idea of putting
eval($_GET['str']) in his or her code.
There is no vulnerability here as far as PHP is concerned. As such there is
no need for a short term resolution.
Nikita
Thread (20 messages)