Comment 2 for bug 919451

Below is the full disclosure timeline, up until now:

Jan 17, 2012: Eindbazen informs <email address hidden> about the vulnerability
Jan 20, 2012: Eindbazen informs Ubuntu about the vulnerability
Feb 1, 2012: Eindbazen again informs <email address hidden> about the vulnerability and provides a workaround
Feb 1, 2012: PHP confirms the issue and states that it does not know how to patch
Feb 6, 2012: Eindbazen again provides suggested workaround
Feb 19, 2012: Eindbazen informs CERT/CC about the vulnerability because of lack of action from PHP

Aforementioned workaround has been attached to this comment. As upstream stated on Feb 1st, command arguments to php-cgi can originate from various sources (eg. fcgi config, a scripts' shebang or a HTTP request), which makes the issue difficult to fix.

As such, supplied workaround resolves the issue, but as a result breaks eg. arguments originating from shebangs. We too are unsure how to properly fix this issue.

For reference, the commit which introduced the vulnerability: http://svn.php.net/viewvc?view=revision&revision=152585