This page is a collection of questions that occur from time to time.
This question is actually the most important one. Important enough that the answer is covered by an own section for it.
The Hardening-Patch for PHP is patch against the PHP code base. It heavily uses #defines from the original PHP code tree and is therefore released under the same license. Currently this is the The PHP License, version 3.01.
Some ideas from Hardening-Patch like the HTTP Response Splitting Protection have been backported into the normal PHP, but most of it’s features never will. The reasons for this are many. The most important ones are these:
- Some of the features have a measureable speed impact and some PHP core developers even fear adding single stat() syscalls
- Many PHP developers dont’t want to add security features, that are only needed for insecure programmed PHP applications
- Only by staying a separated project it is possible to underline, that we are not satisfied by the way the PHP Project handles security issues and (possible) security problems. The best example is the newly introduced allow_url_include configuration directive which was introduced into PHP because of security media pressure. However the directive is flawed by design and does f.e. not protect against php:/
/input or data: URLs
- Some PHP developers don’t like the Hardened-PHP Project, because the existance of the patch and our reports about security holes in PHP and PHP applications could raise the question if PHP should be used for sensitive websites at all