Hisashi T Fujinaka wrote:
> On Fri, 4 Nov 2005, Jaromir Dolecek wrote:
>> On Fri, Nov 04, 2005 at 06:46:02AM -0800, Hisashi T Fujinaka wrote:
>>> I did a make update and my php sites are broken (not including scripts
>>> from ./ path, apparently) on -current with php-4.4.1nb1. You might want
>>> to try "gallery" or the svn version of "wordpress" (which are the apps
>>> that break on my system.)
>>
>> Can you run php -i and tell what's the value of include_path ?
>>
>> It's ".:/usr/pkg/lib/php" on my system - that is the default, I don't
>> set it in php.ini.
> 
> include_path => .:/usr/pkg/lib/php/includes => .:/usr/pkg/lib/php/includes
> 
> But for some reason, it doesn't seem to work correctly on my system.

After (finally) restoring my Internet connection, I've been able to do
some research on these two problems.  For the incomplete output, I found
an open bug on the PHP site:  <http://bugs.php.net/bug.php?id=35096>.
The short answer is to turn off output_buffering in php.ini

For the other, I found many notes on the web supporting the behavior
we're seeing; this is apparently a new PHP bug that's affecting gallery,
wordpress, drupal, and other PHP software.  I didn't see any solutions
for it, though, other than several people mentioning they reverted to
4.4.0.  I didn't want to go back to a version with known
vulnerabilities, though, so I went to 5.0.5.  As it turns out, 5.0.5 has
a known vulnerability that looks pretty serious, but there's a patch at
hardened-php.net that claims to fix it.  After a bit of hacking, I got
this patch to apply in pkgsrc and am now running that version on my
site.  All previous problems are fixed.

What do others think about adding the "hardening" patch to the pkgsrc
PHP?  I didn't manage to get it to apply very cleanly, but it looks like
somebody more familiar with the infrastructure wouldn't have a lot of
trouble.

Chris