Re: Bug#402010: How to deal with #402010?

To: debian-devel@lists.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
From: Roland Mas <lolando@debian.org>
Date: Sun, 06 Apr 2008 17:32:39 +0200
Message-id: <[🔎] 87ve2v80dk.fsf@mirexpress.internal.placard.fr.eu.org>
In-reply-to: <[🔎] 200804051159.34809.seanius@debian.org> (sean finney's message of "Sat\, 5 Apr 2008 11\:59\:31 +0200")
References: <[🔎] 200804040918.37732.cajus@naasa.net> <[🔎] 200804051107.41432.seanius@seanius.net> <[🔎] 9F5A8EFB-E5F3-461D-9B99-F9E717937FEC@naasa.net> <[🔎] 200804051159.34809.seanius@debian.org>

sean finney, 2008-04-05 11:59:31 +0200 :

[...]

>> RequestHeader set FooPassword very-secret-credentials
>
> i suspect php users will still be able to find that out, in the same
> way that they can read ssl private keys from the webserver's memory
> (you *did* know they can do that, right? :)

Erm, no, I didn't.  Is that supposed to happen (by design), or is it
just a bug in the PHP interpreter?  It sounds like a severe security
problem...

Roland.
-- 
Roland Mas

Au royaume des aveugles, il y a des borgnes à ne pas dépasser.
  -- in Soeur Marie-Thérèse des Batignoles (Maëster)

Reply to:

Follow-Ups:
- Re: Bug#402010: How to deal with #402010?
  - From: sean finney <seanius@debian.org>
- Re: Bug#402010: How to deal with #402010?
  - From: Matthew Johnson <mjj29@debian.org>

References:
- How to deal with #402010?
  - From: Cajus Pollmeier <cajus@naasa.net>
- Re: Bug#402010: How to deal with #402010?
  - From: sean finney <seanius@seanius.net>
- Re: Bug#402010: How to deal with #402010?
  - From: Cajus Pollmeier <cajus@naasa.net>
- Re: Bug#402010: How to deal with #402010?
  - From: sean finney <seanius@debian.org>

Prev by Date: Re: Should -dev packages providing .pc files depend on pkg-config?
Next by Date: Bug#474602: ITP: nikto -- web server security scanner
Previous by thread: Re: Bug#402010: How to deal with #402010?
Next by thread: Re: Bug#402010: How to deal with #402010?
Index(es):
- Date
- Thread