Mini Shell
2015-05-21 - 0.9.38
- removed code compatibility for PHP <5.4 (lots of code + ifdefs)
- allow https location for suhosin.filter.action
- fixed newline detection for suhosin.mail.protect
- Added suhosin.upload.max_newlines to protect againt DOS attack via many
MIME headers in RFC1867 uploads (CVE-2015-4024)
- mail related test cases now work on linux
2014-12-12 - 0.9.37.1
- Changed version string to 0.9.37.1 (without -dev)
- Relaxed array index blacklist (removed '-') due to wordpress incompatibility
2014-12-03 - 0.9.37
- Added SQL injection protection for Mysqli and several test cases
- Added wildcard matching for SQL username
- Added check for SQL username to only contain valid characters (>= ASCII 32)
- Test cases for user_prefix and user_postfix
- Added experimental PDO support
- SQL checks other than mysql (Mysqli + old-style) must be enabled with
configure --enable-suhosin-experimental, e.g. MSSQL.
- disallow_ws now matches all single-byte whitespace characters
- remove_binary and disallow_binary now optionally allow UTF-8.
- Introduced suhosin.upload.allow_utf8 (experimental)
- Reimplemented suhosin_get_raw_cookies()
- Fixed potential segfault for disable_display_errors=fail (only on ARM)
- Fixed potential NULL-pointer dereference with func.blacklist and logging
- Logging timestamps are localtime instead of gmt now (thanks to mkrokos)
- Added new array index filter (character whitelist/blacklist)
- Set default array index blacklist to '"+-<>;()
- Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0)
- Added simple script to create binary Debian package
- Fixed additional recursion problems with session handler
- Suhosin now depends on php_session.h instead of version-specific struct code
2014-06-10 - 0.9.36
- Added better handling of non existing/non executable shell scripts
- Added protection against XSS/SQL/Other Injections through User-Agent HTTP header
- Fix variable logging statistics outputting on every include - ticket: #37
- Added more entropy from /dev/urandom to internal random seeding (64 bit => 256 bit)
- Added non initialized stack variables to random seeding
- Added php_win32_get_random_bytes for windows compatibility in random seeding
- Added suhosin.rand.seedingkey for INI supplied additional entropy string (idea DavisNT)
- Added suhosin.rand.reseed_every_request to allow reseeding on every request (idea DavisNT)
- Changed that calls to srand() / mt_srand() will trigger auto reseeding (idea DavisNT)
- Fixed problems with SessionHandler() class and endless recursions
- Added LICENSE file to make distributions happy
2014-02-24 - 0.9.35
- From now only PHP >= 5.4 is officially supported
- Fix problems with the hard memory_limit on 64 bit systems
- Fix problems with user space session handler due to change in PHP 5.4.0
- Add changes in PHP 5.5 session handlers structures for PHP 5.5 compability
- Fix std post handler for PHP >= 5.3.11
- Fix suhosin logo in phpinfo() for PHP 5.5
- Change fileupload handling for PHP >= 5.4.0 to use an up to date RFC1867 replacement code
- Adapted suhosin to PHP 5.5 executor
- Added some test cases for various things
- Added suhosin.log.stdout to log to stdout (for debugging purposes only)
- Add ini_set() fail mode to suhosin.disable.display_errors
- Fix suhosin.get/post/cookie.max_totalname_length filter
- Refactor array index handling in filter to make it work always
- Added support for PHP 5.6.0alpha2
- WARNING: FUNCTION WHITELISTS/BLACKLISTS NEVER WORKED CORRECTLY WITH PHP < 5.5
2012-02-12 - 0.9.34
- Added initial support for PHP 5.4.0
- Fix include whitelist and blacklist to support shemes with dots in their names
- Fix read after efree() that lets function_exists() malfunction
- Fix build with clang compiler
- Added a request variable drop statistic log message
2012-01-19 - 0.9.33
- Make clear that suhosin is incompatible to mbstring.encoding_translation=On
- Stop mbstring extension from replacing POST handlers
- Added detection of extensions manipulating POST handlers
- Fixed environment variables for logging do not go through the filter extension anymore
- Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
- Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
- Removed crypt() support - because not used for PHP >= 5.3.0 anyway
2010-07-23 - 0.9.32.1
- Fixed missing header file resulting in compile errors
2010-07-23 - 0.9.32
- Added support for memory_limit > 2GB
- Fixed missing header file resulting in wrong php_combined_lcg() prototype being used
- Improved random number seed generation more by adding /dev/urandom juice
2010-03-28 - 0.9.31
- Fix ZTS build of session.c
- Increased session identifier entropy by using /dev/urandom if available
2010-03-25 - 0.9.30
- Added line ending characters %0a and %0d to the list of dangerous characters handled
by suhosin.server.encode and suhosin.server.strip
- Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct)
- Added ! protection to PHP session serializer
- Fixed simulation mode now also affects (dis)allowed functions
- Fixed missing return (1); in random number generator replacements
- Fixed random number generator replacement error case behaviour in PHP 5.3.x
- Fixed error case handling in function_exists() PHP 5.3.x
- Merged changes/fixes in import_request_variables()/extract() from upstream PHP
- Fixed suhosin_header_handler to be PHP 5.3.x compatible
- Merge fixes and new features of PHP's file upload code to suhosin
2009-08-15 - 0.9.29
- Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
- Added more compatible way to retrieve ext/session globals
- Increased default length and count limit for POST variables (for people not reading docu)
2009-08-14 - 0.9.28
- Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session
- Fixed harmless parameter order error in a bogus memset()
- Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features"
- Added suhosin.executor.include.allow_writable_files which can be disabled to disallow
inclusion of files writable by the webserver
2008-08-23 - 0.9.27
- Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading
2008-08-22 - 0.9.26
- Fixed problem with suhosin.perdir
Thanks to Hosteurope for tracking this down
- Fixed problems with ext/uploadprogress
Reported by: Christian Stocker
- Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
- Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
- Added better internal seeding of rand() and mt_rand()
2008-08-06 - 0.9.25
- Fixed PHP 4 compilation problem introduced in 0.9.24
- Fixed PHP 5.3 compilation problem
- Changed PHP default POST handler to PHP's current handler
2008-05-10 - 0.9.24
- Added support for method-calls to function handling
- This fixes white- and blacklist affecting methods with the same name
2008-01-14 - 0.9.23
- Fixed suhosin extension now compiles with snapshots of PHP 5.3
- Fixed crypt() behaves like normal again when there is no salt supplied
2007-12-01 - 0.9.22
- Removed LFS warning message because it crashed on several systems
2007-11-30 - 0.9.21
- Fixed function_exists() now checks the Suhosin permissions
- Fixed crypt() salt no longer uses Blowfish by default
- Fixed .htaccess/perdir support
- Fixed compilation problem on OS/X
- Added protection against some attacks through _SERVER variables
- Added suhosin.server.strip and suhosin.server.encode
- Added error message that warns about the LFS binary incompatibility
2007-05-19 - 0.9.20
- Added protection flags against whitespace at variable start
- Added mutex around crypt() to close the PHP crypt()
thread safety vulnerability class
- Improved HTTP Response Splitting Protection
- Changed default maximum array depth to 50 for GPCR
- Fixed possible endless loop in file logging
- Fixed file locking in file logging
2007-05-01 - 0.9.19
- Fixed typo in HTTP header protection (only during simulation mode)
Reported by: Ilia Alshanetsky
- Fixed wrong \0 termination in cookie decryptor
- Fixed possible crash in SERVER variables protection when SAPI=embedded
Fix provided by: Olivier Blin/Mandriva Linux
- Added possibility to en-/disable INI_PERDIR
Problem reported by: Ilia Alshanetsky
- Added PHP Warning when disabled function is called
- Added examples for new configuration option in suhosin.ini
2007-03-06 - 0.9.18
- Fixed session double hooking in edge case
- Added additional crash protection for PHP's session module
2007-03-04 - 0.9.17
- Added a suhosin.ini example configuration
Thanks to Mandriva Linux for supplying us with one
- Added new logging device: file
- Fixed that suhosin.filter.action did not affect POST limits
- Fixed behaviour of request variable limit to be an upper limit
for the other settings instead of being additive limit
- Fixed hard_memory_limit bypass due to casting bug in PHP
Problem was found by: Ilia Alshanetsky
- Fixed some sql prefix/postfix problems
- Added experimental SQL injection heuristic
2006-12-02 - 0.9.16
- Added suhosin.stealth which controls if suhosin loads in
stealth mode when it is not the only zend_extension
(Required for full compatibility with certain encoders
that consider open source untrusted. e.g. ionCube, Zend)
- Activate suhosin.stealth by default
- Fixed that Suhosin tries handling functions disabled by
disable_function. In v0.9.15 it was impossible to disable
phpinfo() with disable_function.
Problem was found by: Thorsten Schifferdecker
2006-11-28 - 0.9.15
- Added a transparent protection for open phpinfo() pages by
adding an HTML META ROBOTS tag to the output that forbids
indexing and archiving
2006-11-22 - 0.9.14
- Drop wrongly decrypted cookies instead of leaving them empty
- Fix another problem with urlencoded cookie names
- Fix compilation problem with PHP4
- Added better regression to the release process to stop
compilation and missing symbol problems
2006-11-20 - 0.9.13
- More compatible support for ap_php_snprintf() for old PHP
- Changed phpinfo() output to put suhosin logo into a data: URL
for Opera and Gecko based browsers when expose_php=off
2006-11-14 - 0.9.12
- Adding ap_php_snprintf() when compiling against PHP 4.3.9
- Added suhosin.protectkey to remove cryptkeys from phpinfo() output
- Disabled suhosin.cookie.encrypt in default install
- Fixed static compilation against PHP 5.2.0
2006-11-06 - 0.9.11
- Fixed input filter for simulation mode
2006-10-26 - 0.9.10
- Fixed ZTS compile problem in new code
- Fixed PHP4 compile problem in new code
2006-10-25 - 0.9.9
- Fixed mail() protection that failed to detect some injected headers
- Fixed cookie decryption to not potentially trash apache memory
- Fixed cookie enctyption to handle url encoded names correctly
- Added suhosin.cookie/session.checkraddr
- Added suhosin.cookie.cryptlist
- Added suhosin.cookie.plainlist
- Added suhosin_encrypt_cookie function for JS
- Added suhosin_get_raw_cookies function
- Changed dropped variable error messages
2006-10-08 - 0.9.8
- Fixed a PHP4 ZTS compile problem
2006-10-08 - 0.9.7
- Moved input handler hooking to a later place to ensure better compatibility
with 3rd party extensions
- Fixed a problem with overlong mail headers in mail protection
- Fixed a problem with empty log/verification script names
- Fixed a PHP4 compile problem with old gcc/in ZTS mode
- Added mbregex.h from PHP4 to solve compile problems on systesm with broken
header installations
2006-10-02 - 0.9.6
- Disallow symlink() when open_basedir (activated by default)
- Fix a problem with compilation in Visual Studio
2006-09-29 - 0.9.5
- Added missing logo file
- Added suhosin.apc_bug_workaround flag to enable compatibility with buggy APC 3.0.12x
2006-09-29 - 0.9.4
- Added version number and logo to phpinfo() output
- Fixed that all uploaded files are dropped after a single one was disallowed
- Added undocumented suhosin.coredump flag to tell suhosin to dump core instead
of logging S_MEMORY events
- Disable handling of rfc1867 mbstring decoding
2006-09-24 - 0.9.3
- Added protection against endless recursion for suhosin.log.phpscript
- Added possibility to disable open_basedir and safe_mode for suhosin.log.phpscript
- Added suhosin.executor.include.max_traversal to stop directory traversal includes
2006-09-19 - 0.9.2
- Fixes broken rfc1867 fileupload hook
- Changed definition of binary to: 0..31, 128..255 except whitespace
- Added suhosin.log.phpscript(.name) directive to log to a PHP script
2006-09-16 - 0.9.1
- A bunch of changes to compile and work on Windows
2006-09-09 - BETA
- Added decryption of HTTP_COOKIE
- Fixed a last problem in suhosin_strcasestr() helper function
2006-09-08 - BETA
- Fixed a problem within suhosin_strcasestr() because it broke
URL checks
2006-09-07 - BETA
- CVS version of PHP 5.2.0 was changed to support incasesensitive
URLs, support for this in suhosin added
- Fixed a problem when preg_replace() was called with more than
4 parameters
Zerion Mini Shell 1.0