Suhosin

Suhosin extends built-in PHP security mechanisms, by adding detection, prevention and fixes for known PHP security risks and flaws.

Suhosin is made up of various low-level protection patches.

It can prevent bufferoverflows or format string vulnerabilities, along with other problems.

It also includes a powerful PHP extension, an extension that includes various smaller protection methods.

What is new in this release:

• Added SQL injection protection for Mysqli and several test cases
• Added wildcard matching for SQL username
• Added check for SQL username to only contain valid characters (>= ASCII 32)
• Test cases for user_prefix and user_postfix
• Added experimental PDO support
• SQL checks other than mysql (Mysqli + old-style) must be enabled with configure --enable-suhosin-experimental, e.g. MSSQL.
• disallow_ws now matches all single-byte whitespace characters
• remove_binary and disallow_binary now optionally allow UTF-8.
• Introduced suhosin.upload.allow_utf8 (experimental)
• Reimplemented suhosin_get_raw_cookies()
• Fixed potential segfault for disable_display_errors=fail (only on ARM)
• Fixed potential NULL-pointer dereference with func.blacklist and logging
• Logging timestamps are localtime instead of gmt now
• Added new array index filter (character whitelist/blacklist)
• Set default array index blacklist to '"+-<>;()
• Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0)
• Added simple script to create binary Debian package
• Fixed additional recursion problems with session handler
• Suhosin now depends on php_session.h instead of version-specific struct code

What is new in version 0.9.37.1:

• Added SQL injection protection for Mysqli and several test cases
• Added wildcard matching for SQL username
• Added check for SQL username to only contain valid characters (>= ASCII 32)
• Test cases for user_prefix and user_postfix
• Added experimental PDO support
• SQL checks other than mysql (Mysqli + old-style) must be enabled with configure --enable-suhosin-experimental, e.g. MSSQL.
• disallow_ws now matches all single-byte whitespace characters
• remove_binary and disallow_binary now optionally allow UTF-8.
• Introduced suhosin.upload.allow_utf8 (experimental)
• Reimplemented suhosin_get_raw_cookies()
• Fixed potential segfault for disable_display_errors=fail (only on ARM)
• Fixed potential NULL-pointer dereference with func.blacklist and logging
• Logging timestamps are localtime instead of gmt now
• Added new array index filter (character whitelist/blacklist)
• Set default array index blacklist to '"+-<>;()
• Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0)
• Added simple script to create binary Debian package
• Fixed additional recursion problems with session handler
• Suhosin now depends on php_session.h instead of version-specific struct code

What is new in version 0.9.37-dev:

• Added check for SQL username to only contain valid characters (>= ASCII 32)
• Test cases for user_prefix and user_postfix
• Added experimental PDO support
• SQL checks other than mysql (Mysqli + old-style) must be enabled with configure --enable-suhosin-experimental, e.g. MSSQL.
• Disallow_ws now matches all single-byte whitespace characters
• Remove_binary and disallow_binary now optionally allow UTF-8.

What is new in version 0.9.33:

• Stop mbstring extension from replacing POST handlers
• Added detection of extensions manipulating POST handlers
• Fixed environment variables for logging do not go through the filter extension anymore
• Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
• Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
• Removed crypt() support - because not used for PHP >= 5.3.0 anyway