Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57622 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42102 invoked from network); 2 Feb 2012 16:30:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2012 16:30:28 -0000 Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender) X-PHP-List-Original-Sender: derick@php.net X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6 Received: from [82.113.146.227] ([82.113.146.227:59358] helo=xdebug.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 11/A5-04454-32ABA2F4 for ; Thu, 02 Feb 2012 11:30:28 -0500 Received: from localhost (xdebug.org [127.0.0.1]) by xdebug.org (Postfix) with ESMTPS id 16664DE143; Thu, 2 Feb 2012 16:30:22 +0000 (GMT) Date: Thu, 2 Feb 2012 16:30:21 +0000 (GMT) X-X-Sender: derick@whisky.home.derickrethans.nl To: Stefan Esser cc: Pierre Joye , PHP internals In-Reply-To: Message-ID: References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: derick@php.net (Derick Rethans) On Thu, 2 Feb 2012, Stefan Esser wrote: > Sorry it makes no difference if a feature was introduced into PHP by > taking code from Suhosin or from someone else. Fact is the feature > existed before in Suhosin. > > * GLOBALS overwrite protection > * max_file_uploads > * max_input_vars > * crypt() blowfish > * max_input_nesting_level > * Superglobals overwrite protection in explode()/import_request_vars() > * safe unlink in Zend memory manager > * http response splitting protection against \n > * http response splitting protection against \r <--- broken attempt to support this in PHP 5.4 What is broken, and where is a possible patch? > * and most probably many more that I do not know from the top of my > head (this are already 9 features and Suhosin/HPHP exists since 2004 = > 8 years). Lots of stuff in PHP was also "stolen" from Xdebug, but I am not whining about that as the goal is (and has always been) to make PHP better. > http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997 > > Yes it is one of the features that is in Suhosin for a long time -> > anyway that security fix is completely broken and noone cares about > it. I'm sure we'd be more than happy to hear why it's broken and hear about possible suggested fixes. cheers, Derick -- http://derickrethans.nl | http://xdebug.org Like Xdebug? Consider a donation: http://xdebug.org/donate.php twitter: @derickr and @xdebug