PHP Classes

suhosin optional

Recommend this page to a friend!

      PHP Classes blog  >  Another Serious Secur...  >  All threads  >  suhosin optional  >  (Un) Subscribe thread alerts  
Subject:suhosin optional
Summary:Give the user ultimate decision
Messages:2
Author:Christian Sager
Date:2012-02-06 18:53:44
Update:2012-02-06 21:07:03
 

  1. suhosin optional   Reply   Report abuse  
Picture of Christian Sager Christian Sager - 2012-02-06 20:54:16
I would like to see suhosin optional by php.ini option. In this way a web master can evaluate the risk and benefits.

I strongly encourage the core php team to give more attention to security issues, especially addressing long known problems.

Clearly adding security fixes is dicey, as the current example shows. To me the strategy should be to provide security improvements as option if a measure cannot be agreed upon unanimously.

  2. Re: suhosin optional   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2012-02-06 21:07:03 - In reply to message 1 from Christian Sager
Well Suhosin is already an extension that you can control via php.ini, it just does not come built-in PHP.

It seems the PHP core team and Stefan Esser have fundamental differences of opinion on what is accepted to include in a security extension like this, so it is unlikely that Suhosin will be ever integrated in the PHP core.