You are on: Home | Suhosin | Changelog



2014.02.24: Version 0.9.35

  • From now only PHP >= 5.4 is officially supported
  • Fix problems with the hard memory_limit on 64 bit systems
  • Fix problems with user space session handler due to change in PHP 5.4.0
  • Add changes in PHP 5.5 session handlers structures for PHP 5.5 compability
  • Fix std post handler for PHP >= 5.3.11
  • Fix suhosin logo in phpinfo() for PHP 5.5
  • Change fileupload handling for PHP >= 5.4.0 to use an up to date RFC1867 replacement code
  • Adapted suhosin to PHP 5.5 executor
  • Added some test cases for various things
  • Added suhosin.log.stdout to log to stdout (for debugging purposes only)
  • Add ini_set() fail mode to suhosin.disable.display_errors
  • Fix suhosin.get/post/cookie.max_totalname_length filter
  • Refactor array index handling in filter to make it work always
  • Added support for PHP 5.6.0alpha2

2012.02.12: Version 0.9.34

  • Added initial support for PHP 5.4.0
  • Fix include whitelist and blacklist to support shemes with dots in their names
  • Fix read after efree() that lets function_exists() malfunction
  • Fix build with clang compiler
  • Added a request variable drop statistic log message

2012.01.19: Version 0.9.33

  • Make clear that suhosin is incompatible to mbstring.encoding_translation=On
  • Stop mbstring extension from replacing POST handlers
  • Added detection of extensions manipulating POST handlers
  • Fixed environment variables for logging do not go through the filter extension anymore
  • Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
  • Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
  • Removed crypt() support - because not used for PHP >= 5.3.0 anyway

2010.03.28: Version 0.9.31

  • Fix ZTS build of session.c
  • Increased session identifier entropy by using /dev/urandom if available

2010.03.25: Version 0.9.30

  • Added line ending characters %0a and %0d to the list of dangerous characters handled by suhosin.server.encode and suhosin.server.strip
  • Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct)
  • Added ! protection to PHP session serializer
  • Fixed simulation mode now also affects (dis)allowed functions
  • Fixed missing return (1); in random number generator replacements
  • Fixed random number generator replacement error case behaviour in PHP 5.3.x
  • Fixed error case handling in function_exists() PHP 5.3.x
  • Merged changes/fixes in import_request_variables()/extract() from upstream PHP
  • Fixed suhosin_header_handler to be PHP 5.3.x compatible
  • Merge fixes and new features of PHP's file upload code to suhosin

2009.08.15: Version 0.9.29

  • Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
  • Added more compatible way to retrieve ext/session globals
  • Increased default length and count limit for POST variables (for people not reading docu)

2009.08.14: Version 0.9.28

  • Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session
  • Fixed harmless parameter order error in a bogus memset()
  • Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features"
  • Added suhosin.executor.include.allow_writable_files which can be disabled to disallow inclusion of files writable by the webserver

2008.08.23: Version 0.9.27

  • Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading

2008.08.22: Version 0.9.26

  • Fixed problem with suhosin.perdir
    Thanks to Hosteurope for tracking this down
  • Fixed problems with ext/uploadprogress
    Reported by: Christian Stocker
  • Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
  • Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
  • Added better internal seeding of rand() and mt_rand()

2008.08.06: Version 0.9.25

  • Fixed PHP 4 compilation problem introduced in 0.9.24
  • Fixed PHP 5.3 compilation problem
  • Changed PHP default POST handler to PHP's current handler

2008.05.10: Version 0.9.24

  • Added support for method-calls to function handling
  • This fixes white- and blacklist affecting methods with the same name

2008.01.14: Version 0.9.23

  • Fixed suhosin extension now compiles with snapshots of PHP 5.3
  • Fixed crypt() behaves like normal again when there is no salt supplied

2007.12.01: Version 0.9.22

  • Removed LFS warning message because it crashed on several systems

2007.11.30: Version 0.9.21

  • Fixed function_exists() now checks the Suhosin permissions
  • Fixed crypt() salt no longer uses Blowfish by default
  • Fixed .htaccess/perdir support
  • Fixed compilation problem on OS/X
  • Added protection against some attacks through _SERVER variables
  • Added suhosin.server.strip and suhosin.server.encode
  • Added error message that warns about the LFS binary incompatibility

2007.05.19: Version 0.9.20

  • Added protection flags against whitespace at variable start
  • Added mutex around crypt() to close the PHP crypt() thread safety vulnerability class
  • Improved HTTP Response Splitting Protection
  • Changed default maximum array depth to 50 for GPCR
  • Fixed possible endless loop in file logging
  • Fixed file locking in file logging

2007.05.01: Version 0.9.19

  • Fixed typo in HTTP header protection (only during simulation mode) - Reported by: Ilia Alshanetsky
  • Fixed wrong \0 termination in cookie decryptor
  • Fixed possible crash in SERVER variables protection when SAPI=embedded - Fix provided by: Olivier Blin/Mandriva Linux
  • Added possibility to en-/disable INI_PERDIR - Reported by: Ilia Alshanetsky
  • Added PHP Warning when disabled function is called
  • Added examples for new configuration option in suhosin.ini

2007.03.06: Version 0.9.18

  • Fixed session double hooking in edge case
  • Added additional crash protection for PHP‘s session module

2007.03.04: Version 0.9.17

  • Added a suhosin.ini example configuration. Thanks to Mandriva Linux for supplying us with one
  • Added new logging device: file
  • Fixed that suhosin.filter.action did not affect POST limits
  • Fixed behaviour of request variable limit to be an upper limit
  • for the other settings instead of being additive limit
  • Fixed hard_memory_limit bypass due to casting bug in PHP. Problem was found by: Ilia Alshanetsky
  • Fixed some sql prefix/postfix problems
  • Added experimental SQL injection heuristic

2006.12.02: Version 0.9.16

  • Added suhosin.stealth which controls if suhosin loads in stealth mode when it is not the only zend_extension (Required for full compatibility with certain encoders that consider open source untrusted. e.g. ionCube, Zend)
  • Activate suhosin.stealth by default
  • Fixed that Suhosin tries handling functions disabled by disable_function. In v0.9.15 it was impossible to disable phpinfo() with disable_function. Problem was found by: Thorsten Schifferdecker

2006.11.28: Version 0.9.15

  • Added a transparent protection for open phpinfo() pages by adding an HTML META ROBOTS tag to the output that forbids indexing and archiving

2006.11.22: Version 0.9.14

  • Drop wrongly decrypted cookies instead of leaving them empty
  • Fix another problem with urlencoded cookie names
  • Fix compilation problem with PHP4
  • Added better regression to the release process to stop compilation and missing symbol problems

2006.11.20: Version 0.9.13

  • More compatible ap_php_snprintf() support for old PHP versions
  • Changed phpinfo() output to put the suhosin logo into a data: URL when

Opera or a Gecko based browser is used and expose_php=off

2006.11.14: Version 0.9.12

  • Adding ap_php_snprintf() when compiling against PHP 4.3.9
  • Added suhosin.protectkey to remove cryptkeys from phpinfo() output
  • Disabled suhosin.cookie.encrypt in default install
  • Fixed static compilation against PHP 5.2.0

2006.11.06: Version 0.9.11

  • Fixed input filter in simulation mode

2006.10.26: Version 0.9.10

  • Fixed ZTS compile problem in new code
  • Fixed PHP4 compile problem in new code

2006.10.25: Version 0.9.9

  • Fixed mail() protection that failed to detect some injected headers
  • Fixed cookie decryption to not potentially trash apache memory
  • Fixed cookie enctyption to handle url encoded names correctly
  • Added suhosin.cookie/session.checkraddr
  • Added suhosin.cookie.cryptlist
  • Added suhosin.cookie.plainlist
  • Added suhosin_encrypt_cookie function for JS
  • Added suhosin_get_raw_cookies function
  • Changed dropped variable error messages

2006.10.08: Version 0.9.8

  • Fixed the PHP4 compile problem in ZTS mode correctly

2006.10.08: Version 0.9.7

  • Moved input handler hooking to a later place to ensure better compatibility with 3rd party extensions
  • Fixed a problem with overlong mail headers in mail protection
  • Fixed a problem with empty log/verification script names
  • Fixed a PHP4 compile problem with old gcc/in ZTS mode
  • Added mbregex.h from PHP4 to solve compile problems on systesm with broken header installations

2006.10.02: Version 0.9.6

  • Added fixes for various platform compilation problems
  • Disables symlink() when open_basedir is used

2006.09.29: Version 0.9.5

  • Added missing logo file
  • Added suhosin.apc_bug_workaround flag to work around a bug in APC 3.0.12x

2006.09.29: Version 0.9.4

  • Added version number and logo to phpinfo() output
  • Fixed that all uploaded files are dropped after a single one was disallowed
  • Added undocumented suhosin.coredump flag to tell suhosin to dump core instead of logging S_MEMORY events
  • Disable handling of rfc1867 mbstring decoding

2006.09.24: Version 0.9.3

  • Added protection against directory traversal include attacks
  • Added protection against endless recursion to phpscript logging
  • Added possibility to disable safe_mode, open_basedir for phpscript logging

2006.09.19: Version 0.9.2

  • Fixed the fileupload hook (binary data now excludes whitespace)
  • Added phpscript as logdevice

2006.09.16: Version 0.9.1

  • A bunch of changes to compile and work on Windows
  • First stable release

BETA 2006.09.09

  • Added decryption of HTTP_COOKIE
  • Fixed a last problem in suhosin_strcasestr() helper function

BETA 2006.09.08

  • Fixed a problem within suhosin_strcasestr() because it broke URL checks

BETA 2006.09.07

  • CVS version of PHP 5.2.0 was changed to support incasesensitive URLs, support for this in suhosin added
  • Fixed a problem when preg_replace() was called with more than 4 parameters


2010.07.23: Version 0.9.10

  • fix format string vulnerability forgot to patch in 5.3.3
  • added protection against %Z format string specifier
  • merged Zend Allocator rest bucket patch into canary allocator

2010.03.04: Version

  • fixed some crashbugs for IA64 architecture
  • check return value of mprotect() to ensure that memory is read only - credits: PAX Team
  • fixed mprotect() call - encrypted pointer was used in revoked 0.9.9 - credits: PAX Team
  • added additional hardening to destructor protection
  • added pointer obfuscation to memory manager

2009.08.13: Version 0.9.8

  • PHP 5.3.x compatibility
  • features configurable by environment variables
  • added various hardenings against PHP interruption vulnerabilities
  • added option to sanitize all freed memory

2009.03.05: Version 0.9.7

  • Added a little bit more realpath() hardening. However PHP's realpath() handling still needs more fixes.

2008.12.04: Version

  • Fixed non aligned memory access in memory manager canary protection. Affects architectures like sparc or arm

2006.11.12: Version

  • Fixed another problem with new PHP 5.2.0 memory manager

2006.11.06: Version

  • Removed forgetten debug code in zend_alloc.c for PHP 5.2.0
  • Fixed problem with zend_alloc.c in debug compiled PHP 5.2.0

2006.09.27: Version 0.9.6

  • Fixed changes in PHP5 header files that caused problems with C++ extensions

2006.09.26: Version 0.9.5

  • phpinfo(): be more verbose about presence of Suhosin-Patch
  • Fixes the Win32 compile failure

2006.09.24: Version 0.9.4

  • Changes to be compatible with Win32
  • Added phpscript as logdevice

© Hardened PHP Project