PHP Classes

Another Serious Security Bug on PHP 5.3.9

Recommend this page to a friend!

      PHP Classes blog  >  Another Serious Secur...  >  All threads  >  Another Serious Security Bug on PHP...  >  (Un) Subscribe thread alerts  
Subject:Another Serious Security Bug on PHP...
Summary:suhosin addressed bugs should be reviewed and fixed in the core
Messages:4
Author:Alexander Maassen
Date:2012-02-03 11:11:23
Update:2012-02-04 02:12:45
 

  1. Another Serious Security Bug on PHP...   Reply   Report abuse  
Picture of Alexander Maassen Alexander Maassen - 2012-02-03 14:23:31
I can feel you regarding your offtopic comments regarding why core developpers step up and leave the project. So much about that.
But let's get back to the topic. The existance of suhosin itself addresses the ignorance of the current team. They've been told about issues for many years, PHP is used by a large userbase on the net, and they have to install an addon/plugin/whatever because the devs won't fix known issues.

Especially in this age, security and reliability is key. Period.

So, instead of extending php with features, maybe it's time to put them on a pile of todo and fix issues first before introducing this new features, or the community might start to turn their backs on php and switch to a language that does not have these issues.

  2. Re: Another Serious Security Bug on PHP...   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2012-02-03 19:10:39 - In reply to message 1 from Alexander Maassen
Right but the problems with PHP core is that they do not reckon that the security bugs are more important than the issues caused by the methods to fix them.

For instance, it is claimed that Suhosin may cause PHP to loose 10% of performance. It seems that some core developers do not consider better security more important than any performance loss.

  3. Re: Another Serious Security Bug on PHP...   Reply   Report abuse  
Picture of Alexander Maassen Alexander Maassen - 2012-02-04 00:49:02 - In reply to message 2 from Manuel Lemos
Heh, maybe the 10% performance loss is caused because everything has to be filtered using an additional plugin? Just my 2 cents :)

  4. Re: Another Serious Security Bug on PHP...   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2012-02-04 02:12:45 - In reply to message 3 from Alexander Maassen
Actually it seems to be only when you have memory canary options set. These seem to be to verify if memory allocated by PHP is being used beyhond the allocated space due to eventual PHP bugs or security exploit attempts.

These would not be necessary if there are no memory usage bugs, but we never know that because there are no bug free programs.