Hello Matthew,
http://cvs.php.net/diff.php/php-src/ext/standard/info.c?r1=1.252&r2=1.253&ty=u
For the change marked "Input Validation Part 2". It uses ENT_QUOTES
escaping as opposed to ENT_NOQUOTES escaping. The lack of escaping on
quotes in entity attributes is the *EXACT* issue my bug report
illustrates.
Unfortunately for you, the CVS commit you quote has nothing todo with
the XSS vulnerability in my advisory.
My advisory covers "Input Validation Part 1" which you can read here
http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3
I hope this is enough to convince you... (because your bug report has
nothing todo with arrays not beeing escaped at all)
Yours,
Stefan Esser
ps: And you do not need to convince me, that you should have credits for
that other bug. And it is a pity that it needed such a long time to fix
it. In the end it is just an XSS in a debugging feature and therefore it
was not taken so serious. You should be happy, that we have started to
even fix vulnerabilities in debugging tools.
--
--------------------------------------------------------------------------
Stefan Esser sesser@php.net
Hardened-PHP Project http://www.hardened-php.net/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78
--------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
