Date: Sat, 26 Dec 2009 04:39:53 -0800 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: freebsd-stable@freebsd.org Subject: Re: php5-5.2.11_1 Vulnerabilities Message-ID: <20091226123953.GA8864@icarus.home.lan> In-Reply-To: <4B35FC4C.7050100@unsane.co.uk> References: <4B344459.4020202@ellicit.org> <a78074950912242130w513306d7jadd16da59cc1009c@mail.gmail.com> <4B35FC4C.7050100@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Dec 26, 2009 at 12:06:36PM +0000, Vincent Hoffman wrote: > Xin LI wrote: > > I think ale@ has posted a patch to update it to PHP 5.3.1 which is not > > vulnerable. Is it an option for you? > > > > http://www.alexdupre.com/php53.diff > > > We've found 5.3 is different enough from 5.2 at work that a number of > customers have needed downgrading again after upgrading. (We're a linux > shop but same theory applies) a particular gotcha was the removal of the > mhash module which is used by plenty of shopping cart code, (its now > emulated by the built in hash stuff, but php configure needs the > --with-mhash flag. And because its emulated it cant be built as a > module.) Test throughly if your thinking of moving to php5.3. > However as yet various stuff thats in the php5.2.11 port isnt > available or has changed a bit for 5.2.12. for example the Suhosin > hardening patch isnt available for 5.2.12 yet (People taking time off > for the holidays I'd guess ;) People said the exact same thing about PHP 4 --> PHP 5. "Oh crap, don't upgrade, it'll break all kinds of stuff!" In that case, it was the migration to $_GET, $_POST, and $_COOKIE with register_globals being disabled by default. There were other changes which stomped on people as well. Then there was an OO change between minor versions of PHP 5 where code that was previously allowed now started throwing "Cannot access empty property" errors. This was because $this->$var (where $var is a variable defined within the class itself) should have been $this->var, but PHP let people get away with it... until that update. Have you taken the time to investigate the major changes in PHP 6[1]? The major ones which are going to bite you are below. The latter two probably won't hurt that many, but the first two will. - Removal of magic_quotes - Removal of ereg(), eregi(), ereg_replace(), and ereg_replacei() - Removal of register_long_arrays - Removal of register_globals Let's not forget the huge battle that ensued amongst PHP devteam folks, as well as between devs and users, when it came to what the namespace separator string should be. They ultimately agreed upon "::", which is what every other language uses, but did you know that the initial implementation, which is what sparked the argument, was to use "\"? Check out some of the other proposals[2], including ":)" (yes really). PHP is a horrible language. You're screwed no matter which way you go with it -- if you stay with an old version you're likely susceptible to security holes, while if you upgrade to a new version you're susceptible to breakage because the core language was never truly engineered -- just a bunch of monkeys banging on pots. I say this as both someone who does web hosting and codes in PHP. I often wonder what the point of PHP is given Markup::Perl[3]'s existence. [1]: http://www.ibm.com/developerworks/opensource/library/os-php-future/ [2]: http://wiki.php.net/rfc/namespaceseparator [3]: http://search.cpan.org/~mmathews/Markup-Perl-0.5/lib/Markup/Perl.pm -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091226123953.GA8864>