httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Fwd: cvs commit: httpd-test/perl-framework/t/htdocs/security CAN-2004-0958.php
Date Tue, 23 Nov 2004 18:55:16 GMT
At 12:25 PM 11/23/2004, Cliff Woolley wrote:
>On Tue, 23 Nov 2004, Joe Orton wrote:
>> Discussion of whether or not it's useful to have PHP tests in httpd-test
>> can take place on test-dev@, please send your comments there and I'll
>> follow up.
>I actually think it's useful to have php tests in our suite, because
>having a large number of tests for a module as big as php helps to flush
>out bugs in httpd (and maybe apr).  That would be even more the case if
>php's sapi module for httpd 2.x that worked as a filter were in a
>reasonable state...

I totally agree that regression testing is terrific.  We gain alot
knowing when our patches might break php.

What I questioned was why we were doing the security validation 
of PHP when it's outside the scope of httpd, or isn't due to some
interaction with httpd.

I also questioned shoving scary security/CAN-2004-xxxx.t failures
at our users.  FIRST this should never have been in security/ -
it should have been a php/ test.  Again, this is not our security
incident within httpd.

Second, whenever we fail any CAN-2004-xxxx.t we must direct the
user to some patch where they can remedy the situation.  I'm sort
of laughing that I spent 4 hours yesterday researching two vulns
that many other engineers had spent 4 hours researching.  The
laughable thing - show me on where they call out any
patches for 4.3.x to these two incidents?

It's akin to screaming FIRE in a crowded theater, when the doors
are locked.  Open up the doors first, then scream.

Oh, just an aside, answering "upgrade n-1.x to the latest n.0
release" is no answer to a security incident.  Didn't we just
listen to a preso in Vegas decrying how 5.0 isn't 4.3?


View raw message