[Mapserver-users] PHP 4.3.0 security issues
Paul Spencer
spencer at dmsolutions.ca
Fri Feb 21 08:18:18 EST 2003
Thorsten, the bug is in PHP 4.3.0 and is fixed in PHP 4.3.1, this was
mentioned by Daniel Morissette on 17 Feb
(http://mapserver.gis.umn.edu/data2/wilma/mapserver-users/0302/msg00420.html)
And please be aware that there is a bug in PHP 4.3.0 and PHP 4.3.1 that
appears to corrupt the value of PHP_SELF. A great many applications
rely on this value so upgrading to PHP 4.3.0 or PHP 4.3.1 will likely
break your application. There has been at least one suggestion of a
work-around for this problem on the mailing list.
http://mapserver.gis.umn.edu/data2/wilma/mapserver-users/0302/msg00540.html
And I believe that the bug is fixed in the latest CVS version of PHP as
per http://bugs.php.net/bug.php?id=21261
Cheers,
Paul
Thorsten Fischer wrote:
> I have no idea how closely you guys usually follow these things, but I
> havent seen it mentioned on the list even though it's already 10 days
> old, so I just post it here to annoy you if you already know it.
>
> There is a bug in PHP 4.3.1 that renders the --enable-force-cgi-redirect
> compile-time option useless. Everyone running the developer version of
> PHP MapScript should patch their PHP installation. MapScript 3.7
> requires PHP 4.3.0, and it requires it running as a CGI.
>
>
> More info:
>
> http://www.php.net/release_4_3_1.php
>
>
>
> hth,
>
> thorsten
>
--
Paul Spencer
Applications and Software Development
DM Solutions Group Inc.
http://www.dmsolutions.ca
More information about the mapserver-users
mailing list