On Thu, 2 Feb 2012, Stefan Esser wrote: > Sorry it makes no difference if a feature was introduced into PHP by > taking code from Suhosin or from someone else. Fact is the feature > existed before in Suhosin. > > * GLOBALS overwrite protection > * max_file_uploads > * max_input_vars > * crypt() blowfish > * max_input_nesting_level > * Superglobals overwrite protection in explode()/import_request_vars() > * safe unlink in Zend memory manager > * http response splitting protection against \n > * http response splitting protection against \r <--- broken attempt to > support this in PHP 5.4
What is broken, and where is a possible patch? > * and most probably many more that I do not know from the top of my > head (this are already 9 features and Suhosin/HPHP exists since 2004 = > 8 years). Lots of stuff in PHP was also "stolen" from Xdebug, but I am not whining about that as the goal is (and has always been) to make PHP better. > http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997 > > Yes it is one of the features that is in Suhosin for a long time -> > anyway that security fix is completely broken and noone cares about > it. I'm sure we'd be more than happy to hear why it's broken and hear about possible suggested fixes. cheers, Derick -- http://derickrethans.nl | http://xdebug.org Like Xdebug? Consider a donation: http://xdebug.org/donate.php twitter: @derickr and @xdebug -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
