Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57622
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42102 invoked from network); 2 Feb 2012 16:30:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2012 16:30:28 -0000
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6
Received: from [82.113.146.227] ([82.113.146.227:59358] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 11/A5-04454-32ABA2F4 for <internals@lists.php.net>; Thu, 02 Feb 2012 11:30:28 -0500
Received: from localhost (xdebug.org [127.0.0.1])
	by xdebug.org (Postfix) with ESMTPS id 16664DE143;
	Thu,  2 Feb 2012 16:30:22 +0000 (GMT)
Date: Thu, 2 Feb 2012 16:30:21 +0000 (GMT)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Stefan Esser <stefan@nopiracy.de>
cc: Pierre Joye <pierre.php@gmail.com>, 
    PHP internals <internals@lists.php.net>
In-Reply-To: <A53679E3-53ED-423C-AC4C-E9C4A8631C20@nopiracy.de>
Message-ID: <alpine.DEB.2.02.1202021628341.20012@whisky.home.derickrethans.nl>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de>
 <CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com> <A53679E3-53ED-423C-AC4C-E9C4A8631C20@nopiracy.de>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5
 builds
From: derick@php.net (Derick Rethans)

On Thu, 2 Feb 2012, Stefan Esser wrote:

> Sorry it makes no difference if a feature was introduced into PHP by 
> taking code from Suhosin or from someone else. Fact is the feature 
> existed before in Suhosin.
> 
> * GLOBALS overwrite protection
> * max_file_uploads
> * max_input_vars
> * crypt() blowfish
> * max_input_nesting_level
> * Superglobals overwrite protection in explode()/import_request_vars()
> * safe unlink in Zend memory manager
> * http response splitting protection against \n
> * http response splitting protection against \r <--- broken attempt to support this in PHP 5.4

What is broken, and where is a possible patch?

> * and most probably many more that I do not know from the top of my 
> head (this are already 9 features and Suhosin/HPHP exists since 2004 = 
> 8 years).

Lots of stuff in PHP was also "stolen" from Xdebug, but I am not whining  
about that as the goal is (and has always been) to make PHP better.

> http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997
> 
> Yes it is one of the features that is in Suhosin for a long time -> 
> anyway that security fix is completely broken and noone cares about 
> it.

I'm sure we'd be more than happy to hear why it's broken and hear about 
possible suggested fixes.

cheers,
Derick

-- 
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug