-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathChangelog
252 lines (180 loc) · 9.18 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
2010-07-23 - 0.9.32.1
- Fixed missing header file resulting in compile errors
2010-07-23 - 0.9.32
- Added support for memory_limit > 2GB
- Fixed missing header file resulting in wrong php_combined_lcg() prototype being used
- Improved random number seed generation more by adding /dev/urandom juice
2010-03-28 - 0.9.31
- Fix ZTS build of session.c
- Increased session identifier entropy by using /dev/urandom if available
2010-03-25 - 0.9.30
- Added line ending characters %0a and %0d to the list of dangerous characters handled
by suhosin.server.encode and suhosin.server.strip
- Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct)
- Added ! protection to PHP session serializer
- Fixed simulation mode now also affects (dis)allowed functions
- Fixed missing return (1); in random number generator replacements
- Fixed random number generator replacement error case behaviour in PHP 5.3.x
- Fixed error case handling in function_exists() PHP 5.3.x
- Merged changes/fixes in import_request_variables()/extract() from upstream PHP
- Fixed suhosin_header_handler to be PHP 5.3.x compatible
- Merge fixes and new features of PHP's file upload code to suhosin
2009-08-15 - 0.9.29
- Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
- Added more compatible way to retrieve ext/session globals
- Increased default length and count limit for POST variables (for people not reading docu)
2009-08-14 - 0.9.28
- Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session
- Fixed harmless parameter order error in a bogus memset()
- Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features"
- Added suhosin.executor.include.allow_writable_files which can be disabled to disallow
inclusion of files writable by the webserver
2008-08-23 - 0.9.27
- Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading
2008-08-22 - 0.9.26
- Fixed problem with suhosin.perdir
Thanks to Hosteurope for tracking this down
- Fixed problems with ext/uploadprogress
Reported by: Christian Stocker
- Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
- Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
- Added better internal seeding of rand() and mt_rand()
2008-08-06 - 0.9.25
- Fixed PHP 4 compilation problem introduced in 0.9.24
- Fixed PHP 5.3 compilation problem
- Changed PHP default POST handler to PHP's current handler
2008-05-10 - 0.9.24
- Added support for method-calls to function handling
- This fixes white- and blacklist affecting methods with the same name
2008-01-14 - 0.9.23
- Fixed suhosin extension now compiles with snapshots of PHP 5.3
- Fixed crypt() behaves like normal again when there is no salt supplied
2007-12-01 - 0.9.22
- Removed LFS warning message because it crashed on several systems
2007-11-30 - 0.9.21
- Fixed function_exists() now checks the Suhosin permissions
- Fixed crypt() salt no longer uses Blowfish by default
- Fixed .htaccess/perdir support
- Fixed compilation problem on OS/X
- Added protection against some attacks through _SERVER variables
- Added suhosin.server.strip and suhosin.server.encode
- Added error message that warns about the LFS binary incompatibility
2007-05-19 - 0.9.20
- Added protection flags against whitespace at variable start
- Added mutex around crypt() to close the PHP crypt()
thread safety vulnerability class
- Improved HTTP Response Splitting Protection
- Changed default maximum array depth to 50 for GPCR
- Fixed possible endless loop in file logging
- Fixed file locking in file logging
2007-05-01 - 0.9.19
- Fixed typo in HTTP header protection (only during simulation mode)
Reported by: Ilia Alshanetsky
- Fixed wrong \0 termination in cookie decryptor
- Fixed possible crash in SERVER variables protection when SAPI=embedded
Fix provided by: Olivier Blin/Mandriva Linux
- Added possibility to en-/disable INI_PERDIR
Problem reported by: Ilia Alshanetsky
- Added PHP Warning when disabled function is called
- Added examples for new configuration option in suhosin.ini
2007-03-06 - 0.9.18
- Fixed session double hooking in edge case
- Added additional crash protection for PHP's session module
2007-03-04 - 0.9.17
- Added a suhosin.ini example configuration
Thanks to Mandriva Linux for supplying us with one
- Added new logging device: file
- Fixed that suhosin.filter.action did not affect POST limits
- Fixed behaviour of request variable limit to be an upper limit
for the other settings instead of being additive limit
- Fixed hard_memory_limit bypass due to casting bug in PHP
Problem was found by: Ilia Alshanetsky
- Fixed some sql prefix/postfix problems
- Added experimental SQL injection heuristic
2006-12-02 - 0.9.16
- Added suhosin.stealth which controls if suhosin loads in
stealth mode when it is not the only zend_extension
(Required for full compatibility with certain encoders
that consider open source untrusted. e.g. ionCube, Zend)
- Activate suhosin.stealth by default
- Fixed that Suhosin tries handling functions disabled by
disable_function. In v0.9.15 it was impossible to disable
phpinfo() with disable_function.
Problem was found by: Thorsten Schifferdecker
2006-11-28 - 0.9.15
- Added a transparent protection for open phpinfo() pages by
adding an HTML META ROBOTS tag to the output that forbids
indexing and archiving
2006-11-22 - 0.9.14
- Drop wrongly decrypted cookies instead of leaving them empty
- Fix another problem with urlencoded cookie names
- Fix compilation problem with PHP4
- Added better regression to the release process to stop
compilation and missing symbol problems
2006-11-20 - 0.9.13
- More compatible support for ap_php_snprintf() for old PHP
- Changed phpinfo() output to put suhosin logo into a data: URL
for Opera and Gecko based browsers when expose_php=off
2006-11-14 - 0.9.12
- Adding ap_php_snprintf() when compiling against PHP 4.3.9
- Added suhosin.protectkey to remove cryptkeys from phpinfo() output
- Disabled suhosin.cookie.encrypt in default install
- Fixed static compilation against PHP 5.2.0
2006-11-06 - 0.9.11
- Fixed input filter for simulation mode
2006-10-26 - 0.9.10
- Fixed ZTS compile problem in new code
- Fixed PHP4 compile problem in new code
2006-10-25 - 0.9.9
- Fixed mail() protection that failed to detect some injected headers
- Fixed cookie decryption to not potentially trash apache memory
- Fixed cookie enctyption to handle url encoded names correctly
- Added suhosin.cookie/session.checkraddr
- Added suhosin.cookie.cryptlist
- Added suhosin.cookie.plainlist
- Added suhosin_encrypt_cookie function for JS
- Added suhosin_get_raw_cookies function
- Changed dropped variable error messages
2006-10-08 - 0.9.8
- Fixed a PHP4 ZTS compile problem
2006-10-08 - 0.9.7
- Moved input handler hooking to a later place to ensure better compatibility
with 3rd party extensions
- Fixed a problem with overlong mail headers in mail protection
- Fixed a problem with empty log/verification script names
- Fixed a PHP4 compile problem with old gcc/in ZTS mode
- Added mbregex.h from PHP4 to solve compile problems on systesm with broken
header installations
2006-10-02 - 0.9.6
- Disallow symlink() when open_basedir (activated by default)
- Fix a problem with compilation in Visual Studio
2006-09-29 - 0.9.5
- Added missing logo file
- Added suhosin.apc_bug_workaround flag to enable compatibility with buggy APC 3.0.12x
2006-09-29 - 0.9.4
- Added version number and logo to phpinfo() output
- Fixed that all uploaded files are dropped after a single one was disallowed
- Added undocumented suhosin.coredump flag to tell suhosin to dump core instead
of logging S_MEMORY events
- Disable handling of rfc1867 mbstring decoding
2006-09-24 - 0.9.3
- Added protection against endless recursion for suhosin.log.phpscript
- Added possibility to disable open_basedir and safe_mode for suhosin.log.phpscript
- Added suhosin.executor.include.max_traversal to stop directory traversal includes
2006-09-19 - 0.9.2
- Fixes broken rfc1867 fileupload hook
- Changed definition of binary to: 0..31, 128..255 except whitespace
- Added suhosin.log.phpscript(.name) directive to log to a PHP script
2006-09-16 - 0.9.1
- A bunch of changes to compile and work on Windows
2006-09-09 - BETA
- Added decryption of HTTP_COOKIE
- Fixed a last problem in suhosin_strcasestr() helper function
2006-09-08 - BETA
- Fixed a problem within suhosin_strcasestr() because it broke
URL checks
2006-09-07 - BETA
- CVS version of PHP 5.2.0 was changed to support incasesensitive
URLs, support for this in suhosin added
- Fixed a problem when preg_replace() was called with more than
4 parameters