Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57620 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37370 invoked from network); 2 Feb 2012 16:10:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2012 16:10:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: stefan@nopiracy.de X-Host-Fingerprint: 81.169.146.161 mo-p00-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.161] ([81.169.146.161:19977] helo=mo-p00-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2E/84-04454-C75BA2F4 for ; Thu, 02 Feb 2012 11:10:37 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328199032; l=3175; s=domk; d=nopiracy.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH; bh=RH/xS6YxjR+NHoZ2BRwx1LT3Kqk=; b=WrEmpInl5fciiVFb45nZYdBQ+VlbUK3lvbHPfzJJ3L6L8DzxfzG0pWlGIgGd6kc/JM8 KmjMCuKFVsfxPOQ2Rw4t3miQXmqD35T1ZCJZUUSSypZVjn1kOhrLHWzCURRIqGS0IU865 ++JIh7H2L6VDWjv9ULgdUGVdwM7sY5gXYYI= X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg== X-RZG-CLASS-ID: mo00 Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151]) by smtp.strato.de (klopstock mo58) (RZmta 27.6 DYNA|AUTH) with (AES128-SHA encrypted) ESMTPA id p01be7o12Ep88F ; Thu, 2 Feb 2012 17:10:29 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 In-Reply-To: Date: Thu, 2 Feb 2012 17:10:29 +0100 Cc: PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> To: Pierre Joye X-Mailer: Apple Mail (2.1251.1) Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: stefan@nopiracy.de (Stefan Esser) Hello Pierre, > For one, some were not not ported but features were implemented, with > the support of their original authors. They are not related to > Suhosin, like the Blowfish support, which I ported to php with the > help of Solar Designer. Suhosin uses the same implementation. Sorry it makes no difference if a feature was introduced into PHP by = taking code from Suhosin or from someone else. Fact is the feature = existed before in Suhosin. * GLOBALS overwrite protection * max_file_uploads * max_input_vars * crypt() blowfish * max_input_nesting_level * Superglobals overwrite protection in explode()/import_request_vars() * safe unlink in Zend memory manager * http response splitting protection against \n * http response splitting protection against \r <--- broken attempt to = support this in PHP 5.4 * and most probably many more that I do not know from the top of my head = (this are already 9 features and Suhosin/HPHP exists since 2004 =3D 8 = years). > I understand why you left the security team and the php project years > ago. Back then I was not on the security team, so I won't comment this > period (and I would have partially agreed with you). However, I am Suhosin/HPHP existed 3 years before I left the security team. So the = creation of it had nothing todo with me leaving the team. > Many features are making their way to PHP as well, on a case by case > basis. We have changed and we are on the right track since quite some > time already. If you have features that you consider that it must be > in the core, then let discuss it, on this list. But so far I failed to > see other features in Suhosin that we need to implement without having > more cons than pros. The fact is the PHP developers NEVER saw other features they needed to = implement and then some external people disclosed some PHP bug and as a = result one of the Suhosin features were cloned. The thing is: I see no problem with the status quo - Suhosin exists and = people can use it - it is like people can choose if they want ASLR, NX, = Fortify Source on their system. I do not have the time or wish to convince the PHP developers to add = some features that most probably after some time will be = copied/clones/reimplemented anyway. The only problem I see is that some PHP developers negate the fact that = Suhosin increases security of PHP (which was proven again and again for = 8 years, why else clone features) and recommend people to stay away from = it: This is malicious. And yes I like the Suhosin codebase separate, because if there is a bug = I can smack the responsible person (myself) over the head bigtime. If Suhosin merges with PHP a lot of patches will go into the code and = the work to keep track with every commit that touches some Suhosin = feature will explode. Just look at security patches like this: = http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=3D31= 7225&r2=3D318997 Yes it is one of the features that is in Suhosin for a long time -> = anyway that security fix is completely broken and noone cares about it. Regards, Stefan Esser=