From 72a66c19c3761a3abed326266571052b4a8fd755 Mon Sep 17 00:00:00 2001 From: cjbj Date: Thu, 3 May 2012 11:41:13 -0700 Subject: [PATCH] Clarify "this" means "CGI" --- archive/entries/2012-05-03-1.xml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/archive/entries/2012-05-03-1.xml b/archive/entries/2012-05-03-1.xml index 57681d6e25..8ca5b6559c 100644 --- a/archive/entries/2012-05-03-1.xml +++ b/archive/entries/2012-05-03-1.xml @@ -16,7 +16,7 @@ 7 of the CGI spec states:

- Some systems support a method for supplying a array of strings to the + Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters. @@ -36,13 +36,9 @@ if you are just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

-

Making a bad week worse, we had a bug in our bug system that toggled the - private flag of a bug report to public on a comment to the bug report - causing this issue to go public before we had time to test solutions to - the level we would like.

+

To fix this update to PHP 5.3.12 or PHP 5.4.2.

-

To fix this update to PHP 5.3.12 or PHP 5.4.2. We recognize that since - this is a rather outdated way to run PHP it may not be feasible to +

We recognize that since CGI is a rather outdated way to run PHP it may not be feasible to upgrade these sites to a modern version of PHP, so an alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a @@ -57,10 +53,17 @@

If you are writing your own rule, be sure to take the urlencoded ?%2ds version into account.

+

Making a bad week worse, we had a bug in our bug system that toggled the + private flag of a bug report to public on a comment to the bug report + causing this issue to go public before we had time to test solutions to + the level we would like. Please report any issues via bugs.php.net.

+

For source downloads of PHP 5.3.12 and PHP 5.4.2 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. A ChangeLog exists.

+ +