Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57620
Return-Path: <stefan@nopiracy.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37370 invoked from network); 2 Feb 2012 16:10:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2012 16:10:37 -0000
Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.161 cause and error)
X-PHP-List-Original-Sender: stefan@nopiracy.de
X-Host-Fingerprint: 81.169.146.161 mo-p00-ob.rzone.de Solaris 10 (beta)
Received: from [81.169.146.161] ([81.169.146.161:19977] helo=mo-p00-ob.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2E/84-04454-C75BA2F4 for <internals@lists.php.net>; Thu, 02 Feb 2012 11:10:37 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328199032; l=3175;
	s=domk; d=nopiracy.de;
	h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:
	Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH;
	bh=RH/xS6YxjR+NHoZ2BRwx1LT3Kqk=;
	b=WrEmpInl5fciiVFb45nZYdBQ+VlbUK3lvbHPfzJJ3L6L8DzxfzG0pWlGIgGd6kc/JM8
	KmjMCuKFVsfxPOQ2Rw4t3miQXmqD35T1ZCJZUUSSypZVjn1kOhrLHWzCURRIqGS0IU865
	++JIh7H2L6VDWjv9ULgdUGVdwM7sY5gXYYI=
X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg==
X-RZG-CLASS-ID: mo00
Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151])
	by smtp.strato.de (klopstock mo58) (RZmta 27.6 DYNA|AUTH)
	with (AES128-SHA encrypted) ESMTPA id p01be7o12Ep88F ;
	Thu, 2 Feb 2012 17:10:29 +0100 (MET)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=iso-8859-1
In-Reply-To: <CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com>
Date: Thu, 2 Feb 2012 17:10:29 +0100
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <A53679E3-53ED-423C-AC4C-E9C4A8631C20@nopiracy.de>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> <CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: stefan@nopiracy.de (Stefan Esser)

Hello Pierre,

> For one, some were not not ported but features were implemented, with
> the support of their original authors. They are not related to
> Suhosin, like the Blowfish support, which I ported to php with the
> help of Solar Designer. Suhosin uses the same implementation.

Sorry it makes no difference if a feature was introduced into PHP by =
taking code from Suhosin or from someone else. Fact is the feature =
existed before in Suhosin.

* GLOBALS overwrite protection
* max_file_uploads
* max_input_vars
* crypt() blowfish
* max_input_nesting_level
* Superglobals overwrite protection in explode()/import_request_vars()
* safe unlink in Zend memory manager
* http response splitting protection against \n
* http response splitting protection against \r <--- broken attempt to =
support this in PHP 5.4

* and most probably many more that I do not know from the top of my head =
(this are already 9 features and Suhosin/HPHP exists since 2004 =3D 8 =
years).

> I understand why you left the security team and the php project years
> ago. Back then I was not on the security team, so I won't comment this
> period (and I would have partially agreed with you). However, I am

Suhosin/HPHP existed 3 years before I left the security team. So the =
creation of it had nothing todo with me leaving the team.

> Many features are making their way to PHP as well, on a case by case
> basis. We have changed and we are on the right track since quite some
> time already. If you have features that you consider that it must be
> in the core, then let discuss it, on this list. But so far I failed to
> see other features in Suhosin that we need to implement without having
> more cons than pros.

The fact is the PHP developers NEVER saw other features they needed to =
implement and then some external people disclosed some PHP bug and as a =
result one of the Suhosin features were cloned.

The thing is: I see no problem with the status quo - Suhosin exists and =
people can use it - it is like people can choose if they want ASLR, NX, =
Fortify Source on their system.
I do not have the time or wish to convince the PHP developers to add =
some features that most probably after some time will be =
copied/clones/reimplemented anyway.
The only problem I see is that some PHP developers negate the fact that =
Suhosin increases security of PHP (which was proven again and again for =
8 years, why else clone features) and recommend people to stay away from =
it: This is malicious.

And yes I like the Suhosin codebase separate, because if there is a bug =
I can smack the responsible person (myself) over the head bigtime.
If Suhosin merges with PHP a lot of patches will go into the code and =
the work to keep track with every commit that touches some Suhosin =
feature will explode.

Just look at security patches like this:

=
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=3D31=
7225&r2=3D318997

Yes it is one of the features that is in Suhosin for a long time -> =
anyway that security fix is completely broken and noone cares about it.

Regards,
Stefan Esser=