Stefan Esser of hardened-php.net discovered simple but potentially serious flaw in the Yawp 1.0.6 release of February 2005. Version 1.1.0 has been released to correct it. All users of Yawp and YaWiki are strongly encouraged to upgrade immediately.
The change notes for the release are:
* BACKWARDS COMPATIBILITY BREAK: Removed the $GLOBALS[‘_Yawp’][‘conf_path’] variable, as it can be the source of serious security problems when register_globals is turned on in combination with other circumstances. In its place, use define(‘YAWP_CONF_PATH’, ‘/path/to/Yawp.conf.php’) to set up a custom configuration file location.
* Added htmlspecialchars() to the trigger_error() messages generated when the configuration file cannot be read or found.
Regarding ethics: Stefan dowloaded Yawp/YaWiki and installed it himself, noticed the flaw, and contacted me privately about it with a full description and list of consequences. Under five hours later, we have a new release. Thanks, Stephan.
Incidentally, this illustrates two related reasons to try to write well-commented straightforward code, adhere to a common coding standard, and write end-user documentation: (1) it becomes much easier for other developers to understand what’s going on and discover flaws, and (2) it becomes much easier to fix and release patched versions quickly.