Sunday, November 27. 2005
The
Hardened-PHP Project has just released their Hardening-Patch 0.4.6 for PHP
New features:
- Added a protection for the long versions of the superglobals, so that they cannot be overwritten through HTTP headers anymore
- Added a validate session identifier hook to the session extension
- Added a session.use_strict_mode flag to the configuration, that enables a strict handling of the session identifier (enabled by default)
- Added two optional parameters to session_set_save_handler() to give user space session handlers the chance to overwrite the session identifier creation and validation
- Added a default session identifier validator, that only accepts a limited charset and therefore protects against several attacks through the session identifier (f.e. SQL injection in user space session handlers, ...).
- Added an optional parameter to session_regenerate_id() that allows deletion of previous session (this is a backport from PHP 5.1.0)
Bugfixes:
- Added a workaround for a GCC bug that caused crashes with Solaris 10 on SPARCs
- Fixed a Thread Safety problem, that caused the 'linked list canary overwritten' messages when running in a multithreaded SAPI
- Fixed a bug in the logging configuration
Download:
- as patch against the released PHP tarball
- NEW: as prepatched tarball
