Changelog

Hardening Patch 0.4.14

  • Added a critical fix for the patch against PHP 5.1.x - Remote URL Include Protection was not working. (only 5.1.x affected) Credits: Bart Vanbrabrant
  • Added more upstream security fixes for PHP 4/5
  • Added a fix for a Zend Engine memory corruption
  • Changed the way the memory_limit protection is implemented

Hardening Patch 0.4.13

  • Added a hphp_strcasestr() function to work around a compilation problem on f.e. solaris systems

Hardening Patch 0.4.12

  • Added a whole bunch of security fixes for PHP 4.4.2 and PHP 5.1.4 (some are not in upstream PHP)
  • Added a slight modification that improves the speed of the zend_hash canary protection
  • Added a feature to protect against various mail header attacks through mail() (newly introduced hphp.mail.protect directive)
  • Added a fix for a potential DOS vulnerability in the URL blacklist handling. Credits: Pavel Stano reported this bug

Hardening Patch 0.4.11

  • Added a security fix for PHP 5.1’s realpath() cache
  • Bundle install-pear-nozlib.phar because it was missing in original PHP 5.1.4 tarball
  • Hotfix to realpath() to solve problems with non existing directories

Hardening Patch 0.4.10

  • Fixed a compilation problem in PHP4 + ZTS mode
  • Finally fixed a trailing slash problem with open_baedir
  • Added a changelog file to the Hardening-Patch distribution to better keep

up with changes

Hardening Patch 0.4.9

  • Fixes a problem with trailing / in open_basedirs
  • Adds PHP‘s invalid characters in session identifier check
  • Adds security fixes from PHP (temporary file, zend_hash, phpinfo(), wordwrap(), htmlentities())

Hardening Patch 0.4.8

  • Fixes an uninitialised variable in the HTTP Response Splitting Protection, that resulted in HTTP headers beeing not sent

Hardening Patch 0.4.7

  • Fixes a problem with persistent Zend LList Canaries
  • Added a fix for a safe_mode bypass vulnerability in ext/curl

Hardening Patch 0.4.6

  • Fixed some error situations in virtual_file_ex()
  • Added a dummy padding variable to work around a GCC bug
  • Changed Hardening-Patch’s module number
  • Moved HTTP Response Splitting Protection into the varfilter extension
  • Added protection of long superglobals against HTTP headers
  • Added session_id validation and creation hooks to the session extension
  • Backported delete old session flag from PHP 5.1 in session_regenerate_id()
  • Added session hooks to sqlite session handler

Hardening Patch 0.4.5

  • Added fixes for ext/curl, ext/gd safe_mode/open_basedir bypass vulnerabilities
  • Addes an advertisement for http://www.hardened-php.net to phpinfo()
  • Changed that only the first forbidden variable is logged
  • Changed white- and blacklists to be persistent

Hardening Patch 0.4.4

  • Changed the UPLOAD_ERR_FILTER numerical code
  • Disallow overwritting GLOBALS inside php_register_variable_ex()
  • Added a memory manager canary change between requests
  • Added more safe_mode/open_basedir checks to ext/curl, ext/gd
  • Added protection against ASCIIZ characters in user input
  • Backported some security fixes like register_globals reactivation through parse_str()
  • Backported a fix for memory_limit not beeing reset

Hardening Patch 0.4.3

  • Added another hook for file uploads, that only checks the variablename. This also requires bumping the internal Hardening-Patch API number
  • Added black- and whitelist support for URL shemes in include filenames

Hardening Patch 0.4.2

  • Added Solar Designer’s CRYPT_BLOWFISH implementation, to have CRYPT_BLOWFISH support in crypt() on all platforms
  • Added sha256() and sha256_file() functions that implement the successor of sha1
  • Update to XML_RPC 1.4.0 to eliminate eval() injection vulnerability

Hardening Patch 0.4.1

  • register_tick_function, register_shutdown_function callbacks recognize being set from within eval()
  • functions and classes registered within eval() will automatically be handled as eval()’d code if the main script calls them (f.e. through callbacks)
  • WARNING: the eval() function black- and whitelist do NOT protect against eval()’d code manipulating the execution flow of the main script by changing the content of variables. (Variable access black- and whitelists are sheduled for a later version)

Hardening Patch 0.4.0

  • Binary compatibility with older Hardening-Patch versions again broken to ensure compatibility with APC and similiar extensions.
  • PHP/Zend API numbers restored to PHP originals
  • Additional Hardening-Patch API numbers introduced
  • Fixed: Access to memory manager canaries could result in not aligned memory accesses
  • Fixed: Only use C style comments
  • New Feature: Introduced whitelists and blacklists for functions, like disable_functions but configurable on a per directory basis.
  • New Feature: Introduced separate whitelists and blacklists for functions that are called from within eval().

Hardening Patch v0.3.2

  • Fixes a compilation error in ext/MySQLi
  • Fixes that without a verification script in place all fileuploads were forbidden

Hardening Patch v0.3.1

  • Fixes a compilation error that exists in 0.3.0 (Thanks to Michal Lukaszek <prism@pld-linux.org >)
  • header() does not allow setting multiple HTTP headers at once
  • hphp.multiheader=On/Off controls this
  • Failed SQL Queries can now be logged in fbsql/mysql/mysqli/pgsql and sqlite
  • hphp.sql.bailout_on_error=On/Off allows termintating a script after failed queries

Hardening Patch v0.3.0

  • Logging of ALERT classes can now be configured by class
  • Syslog facility and priority is now configurable
  • ALERTS can be logged by the SAPI error log
  • ALERTS can be logged by an external logging script
  • Attackers IP addresses can now be extracted from X-Forwarded-For headers
  • GET, POST, COOKIE variables with the following names are not registered:
    • GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST
    • _REQUEST, _SERVER, _SESSION, HTTP_COOKIE_VARS
    • HTTP_ENV_VARS, HTTP_GET_VARS, HTTP_POST_FILES,
    • HTTP_POST_VARS, HTTP_RAW_POST_DATA,
    • HTTP_SERVER_VARS, HTTP_SESSION_VARS
  • Following limits can be enforced on either COOKIE, GET and POST variables or on all REQUEST variables independent of origin
    • Number of variables
    • Maximum length of variable name [with and without indices]
    • Maximum length of array indices
    • Maximum length of variable value
    • Maximum depth of array
  • Number of uploadable files can be limited
  • Uploaded files can now be passed to an external verification script
  • Uploaded ELF files can be automatically filtered away
  • Execution Depth Limit
  • Failing SQL Queries within the MySQL extension can be logged
  • XML_RPC 1.3.1 replaces the vulnerable 1.2.2

Hardening Patch v0.2.7

  • backport of fixes for vulnerabilities in PHP 4.3.10
  • fixes bug with open_basedir and mkdir with trailing slashes
  • adds safe unlink again, because canaries alone aren’t good enough
  • fixes non randomness of hash table canaries

Hardening Patch v0.2.6

  • fixes compile problem on Solaris system
  • breaks binary compatibility to normal PHP by using some PHP5 structs in PHP4

Hardening Patch v0.2.5

  • no new features
  • fixes compile problems on some platforms
  • fixes the new realpath() implementation with some symlinks

Hardening Patch v0.2.4

  • backported fixes for CAN-2004-1018, CAN-2004-1019, CAN-2004-1020
  • and for CAN-2004-1063, CAN-2004-1064, CAN-2004-1065
  • adds protection of superglobals from extract()
  • replaces realpath() with an implementation based on FreeBSD’s realpath()
  • memory_limit cannot be raised over configured limit anymore

Hardening Patch v0.2.3

  • fixes problem with logging the IP from varfilter extension
  • fixes logging under syslog-ng
  • adds protection of superglobals from import_request_variables()
  • fixes bug within addslashes within 4.3.9
  • adds logging of filename to php-security logs (does not work in all sapi yet)
  • increases maximum length of a variable to 10000 within varfilter
  • adds HARDENED_PHP and HARDENED_PHP_VERSION constants

Hardening Patch v0.2.2 fixes

  • incompatibility between some configurations and HashTable Destructor protection

Hardening Patch v0.2.1 fixes

  • compile problem with ext/mbstring
  • Basic Auth problem in PHP 5.0.0

Hardening Patch v0.2.0 adds

  • all security fixes from PHP 4.3.8 for PHP 4.3.7 users
  • Canary protection of Zend HashTable destructors
  • Backport of PHP5’s input_filter technology
  • Hardening Patch’s varfilter extension

Hardening Patch v0.1.2 adds

  • PHP5 compatibility (non ZTS)
  • full ZTS compatibility
  • and some other small fixes

Hardening Patch v0.1.1 adds

  • memory_limit check relocation
  • and some other small fixes

Hardening Patch v0.1.0 implements

  • Canary protection of the Zend Memory Manager
  • Canary protection of Zend Linked Lists
  • Protection against internal format string exploits
  • Protection against arbitrary code inclusion
  • Syslog logging of attackers IP

© Hardened PHP Project