Hello Pierre, > For one, some were not not ported but features were implemented, with > the support of their original authors. They are not related to > Suhosin, like the Blowfish support, which I ported to php with the > help of Solar Designer. Suhosin uses the same implementation.
Sorry it makes no difference if a feature was introduced into PHP by taking code from Suhosin or from someone else. Fact is the feature existed before in Suhosin. * GLOBALS overwrite protection * max_file_uploads * max_input_vars * crypt() blowfish * max_input_nesting_level * Superglobals overwrite protection in explode()/import_request_vars() * safe unlink in Zend memory manager * http response splitting protection against \n * http response splitting protection against \r <--- broken attempt to support this in PHP 5.4 * and most probably many more that I do not know from the top of my head (this are already 9 features and Suhosin/HPHP exists since 2004 = 8 years). > I understand why you left the security team and the php project years > ago. Back then I was not on the security team, so I won't comment this > period (and I would have partially agreed with you). However, I am Suhosin/HPHP existed 3 years before I left the security team. So the creation of it had nothing todo with me leaving the team. > Many features are making their way to PHP as well, on a case by case > basis. We have changed and we are on the right track since quite some > time already. If you have features that you consider that it must be > in the core, then let discuss it, on this list. But so far I failed to > see other features in Suhosin that we need to implement without having > more cons than pros. The fact is the PHP developers NEVER saw other features they needed to implement and then some external people disclosed some PHP bug and as a result one of the Suhosin features were cloned. The thing is: I see no problem with the status quo - Suhosin exists and people can use it - it is like people can choose if they want ASLR, NX, Fortify Source on their system. I do not have the time or wish to convince the PHP developers to add some features that most probably after some time will be copied/clones/reimplemented anyway. The only problem I see is that some PHP developers negate the fact that Suhosin increases security of PHP (which was proven again and again for 8 years, why else clone features) and recommend people to stay away from it: This is malicious. And yes I like the Suhosin codebase separate, because if there is a bug I can smack the responsible person (myself) over the head bigtime. If Suhosin merges with PHP a lot of patches will go into the code and the work to keep track with every commit that touches some Suhosin feature will explode. Just look at security patches like this: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997 Yes it is one of the features that is in Suhosin for a long time -> anyway that security fix is completely broken and noone cares about it. Regards, Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
