Hardening-Patch v0.4.6 released




26. November 2005

The Hardened-PHP Project is proud to announce the immediate release of our Hardening-Patch 0.4.6 for PHP

New features:
  • Added a protection for the long versions of the superglobals, so that they cannot be overwritten through HTTP headers anymore
  • Added a validate session identifier hook to the session extension
  • Added a session.use_strict_mode flag to the configuration, that enables a strict handling of the session identifier (enabled by default)
  • Added two optional parameters to session_set_save_handler() to give user space session handlers the chance to overwrite the session identifier creation and validation
  • Added a default session identifier validator, that only accepts a limited charset and therefore protects against several attacks through the session identifier (f.e. SQL injection in user space session handlers, ...).
  • Added an optional parameter to session_regenerate_id() that allows deletion of previous session (this is a backport from PHP 5.1.0)

Bugfixes:
  • Added a workaround for a GCC bug that caused crashes with Solaris 10 on SPARCs
  • Fixed a Thread Safety problem, that caused the 'linked list canary overwritten' messages when running in a multithreaded SAPI
  • Fixed a bug in the logging configuration

Download:
  • as patch against the released PHP tarball
  • NEW: as prepatched tarball
© Hardened PHP Project