PHP Security Update

Published: 2006-08-23
Last Updated: 2006-08-23 16:25:53 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
In response to yesterday's tip of the day on PHP security, a number of readers wrote in to point to the minutes of a PHP developer meeting, discussing upcoming changes in PHP 6. Now PHP 6 may seem far away. But you can't start early enough to think about how to make sure project work well with it.

From a first read, I am not quite happy with the security related changes. But the document is brief and may not explain all the details. So here a few of the security related highlights.
  • Dealing with Unicode. Not directly security related. But this could affect some validation functions. Overall there appears to be a global switch covering how to deal with unicode.
  • register_globals is going to go away (Finally ;-) ). This option, which "way back" used to be the default, has been one of the big problems in the past.
  • magic_quotes is going to go away. Not sure if I like this. 'magic_quotes' has been an issue for developers who had no control over the php configuration (e.g. shared hosting) and had to cover both cases (quotes on/off). But it has been a valuable safety net for others.
  • safe_mode feature is going to be removed. Another questionable choice IMHO. The feature had problems in the past, but then again, I would rather see them fixed then have them go away.
  • the SOAP extension will support more security options. But it will also be turned on by default.
  • the "Hardened PHP patch" will be included (at least pieces of it. Nice!).
  • looks like there will be no 'taint' mode, but there may be 'sandboxing'. The notes are a bit brief on this.
  • No more '<%'. This could be an issue if your PHP code is using '<%' and will now no longer be parsed, but instead the source code will be visible.
So thats the quick summary of the (already quite brief) document. For a more detailed discussion you will likely have to check the PHP developer mailing lists. I am not that familiar with PHP politics, so I am not sure how flexible these changes are. There are PHP 6.0 development snapshots available at this point. But at least to me, PHP 5 is still quite new ;-). PHP has had a good history of supporting older versions, so there is no reason to panic quite yet.

For the full document, see Minutes PHP Devlopers Meeting.
0 comment(s)


Diary Archives