2016-xx-xx - 0.9.39dev2 - some improvements for Windows (NewEraCracker) - fixes for test cases (NewEraCracker) - new feature: suhosin.log.max_error_length to limit the error output - fixed function_exists wrapper to ignore backslash-prefixes (#92) - backport of PHP bug 71152: mt_rand() returns the different values from original mt19937ar.c - removed dead code - better debian integration - fixed perdir checks - merged PHP changes to RFC1867 code 2015-05-21 - 0.9.38 - removed code compatibility for PHP <5.4 (lots of code + ifdefs) - allow https location for suhosin.filter.action - fixed newline detection for suhosin.mail.protect - Added suhosin.upload.max_newlines to protect againt DOS attack via many MIME headers in RFC1867 uploads (CVE-2015-4024) - mail related test cases now work on linux 2014-12-12 - 0.9.37.1 - Changed version string to 0.9.37.1 (without -dev) - Relaxed array index blacklist (removed '-') due to wordpress incompatibility 2014-12-03 - 0.9.37 - Added SQL injection protection for Mysqli and several test cases - Added wildcard matching for SQL username - Added check for SQL username to only contain valid characters (>= ASCII 32) - Test cases for user_prefix and user_postfix - Added experimental PDO support - SQL checks other than mysql (Mysqli + old-style) must be enabled with configure --enable-suhosin-experimental, e.g. MSSQL. - disallow_ws now matches all single-byte whitespace characters - remove_binary and disallow_binary now optionally allow UTF-8. - Introduced suhosin.upload.allow_utf8 (experimental) - Reimplemented suhosin_get_raw_cookies() - Fixed potential segfault for disable_display_errors=fail (only on ARM) - Fixed potential NULL-pointer dereference with func.blacklist and logging - Logging timestamps are localtime instead of gmt now (thanks to mkrokos) - Added new array index filter (character whitelist/blacklist) - Set default array index blacklist to '"+-<>;() - Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0) - Added simple script to create binary Debian package - Fixed additional recursion problems with session handler - Suhosin now depends on php_session.h instead of version-specific struct code 2014-06-10 - 0.9.36 - Added better handling of non existing/non executable shell scripts - Added protection against XSS/SQL/Other Injections through User-Agent HTTP header - Fix variable logging statistics outputting on every include - ticket: #37 - Added more entropy from /dev/urandom to internal random seeding (64 bit => 256 bit) - Added non initialized stack variables to random seeding - Added php_win32_get_random_bytes for windows compatibility in random seeding - Added suhosin.rand.seedingkey for INI supplied additional entropy string (idea DavisNT) - Added suhosin.rand.reseed_every_request to allow reseeding on every request (idea DavisNT) - Changed that calls to srand() / mt_srand() will trigger auto reseeding (idea DavisNT) - Fixed problems with SessionHandler() class and endless recursions - Added LICENSE file to make distributions happy 2014-02-24 - 0.9.35 - From now only PHP >= 5.4 is officially supported - Fix problems with the hard memory_limit on 64 bit systems - Fix problems with user space session handler due to change in PHP 5.4.0 - Add changes in PHP 5.5 session handlers structures for PHP 5.5 compability - Fix std post handler for PHP >= 5.3.11 - Fix suhosin logo in phpinfo() for PHP 5.5 - Change fileupload handling for PHP >= 5.4.0 to use an up to date RFC1867 replacement code - Adapted suhosin to PHP 5.5 executor - Added some test cases for various things - Added suhosin.log.stdout to log to stdout (for debugging purposes only) - Add ini_set() fail mode to suhosin.disable.display_errors - Fix suhosin.get/post/cookie.max_totalname_length filter - Refactor array index handling in filter to make it work always - Added support for PHP 5.6.0alpha2 - WARNING: FUNCTION WHITELISTS/BLACKLISTS NEVER WORKED CORRECTLY WITH PHP < 5.5 2012-02-12 - 0.9.34 - Added initial support for PHP 5.4.0 - Fix include whitelist and blacklist to support shemes with dots in their names - Fix read after efree() that lets function_exists() malfunction - Fix build with clang compiler - Added a request variable drop statistic log message 2012-01-19 - 0.9.33 - Make clear that suhosin is incompatible to mbstring.encoding_translation=On - Stop mbstring extension from replacing POST handlers - Added detection of extensions manipulating POST handlers - Fixed environment variables for logging do not go through the filter extension anymore - Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory) - Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers - Removed crypt() support - because not used for PHP >= 5.3.0 anyway 2010-07-23 - 0.9.32.1 - Fixed missing header file resulting in compile errors 2010-07-23 - 0.9.32 - Added support for memory_limit > 2GB - Fixed missing header file resulting in wrong php_combined_lcg() prototype being used - Improved random number seed generation more by adding /dev/urandom juice 2010-03-28 - 0.9.31 - Fix ZTS build of session.c - Increased session identifier entropy by using /dev/urandom if available 2010-03-25 - 0.9.30 - Added line ending characters %0a and %0d to the list of dangerous characters handled by suhosin.server.encode and suhosin.server.strip - Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct) - Added ! protection to PHP session serializer - Fixed simulation mode now also affects (dis)allowed functions - Fixed missing return (1); in random number generator replacements - Fixed random number generator replacement error case behaviour in PHP 5.3.x - Fixed error case handling in function_exists() PHP 5.3.x - Merged changes/fixes in import_request_variables()/extract() from upstream PHP - Fixed suhosin_header_handler to be PHP 5.3.x compatible - Merge fixes and new features of PHP's file upload code to suhosin 2009-08-15 - 0.9.29 - Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table) - Added more compatible way to retrieve ext/session globals - Increased default length and count limit for POST variables (for people not reading docu) 2009-08-14 - 0.9.28 - Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session - Fixed harmless parameter order error in a bogus memset() - Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features" - Added suhosin.executor.include.allow_writable_files which can be disabled to disallow inclusion of files writable by the webserver 2008-08-23 - 0.9.27 - Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading 2008-08-22 - 0.9.26 - Fixed problem with suhosin.perdir Thanks to Hosteurope for tracking this down - Fixed problems with ext/uploadprogress Reported by: Christian Stocker - Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on) - Modified rand()/srand() to use the Mersenne Twister algorithm with separate state - Added better internal seeding of rand() and mt_rand() 2008-08-06 - 0.9.25 - Fixed PHP 4 compilation problem introduced in 0.9.24 - Fixed PHP 5.3 compilation problem - Changed PHP default POST handler to PHP's current handler 2008-05-10 - 0.9.24 - Added support for method-calls to function handling - This fixes white- and blacklist affecting methods with the same name 2008-01-14 - 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied 2007-12-01 - 0.9.22 - Removed LFS warning message because it crashed on several systems 2007-11-30 - 0.9.21 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - Added error message that warns about the LFS binary incompatibility 2007-05-19 - 0.9.20 - Added protection flags against whitespace at variable start - Added mutex around crypt() to close the PHP crypt() thread safety vulnerability class - Improved HTTP Response Splitting Protection - Changed default maximum array depth to 50 for GPCR - Fixed possible endless loop in file logging - Fixed file locking in file logging 2007-05-01 - 0.9.19 - Fixed typo in HTTP header protection (only during simulation mode) Reported by: Ilia Alshanetsky - Fixed wrong \0 termination in cookie decryptor - Fixed possible crash in SERVER variables protection when SAPI=embedded Fix provided by: Olivier Blin/Mandriva Linux - Added possibility to en-/disable INI_PERDIR Problem reported by: Ilia Alshanetsky - Added PHP Warning when disabled function is called - Added examples for new configuration option in suhosin.ini 2007-03-06 - 0.9.18 - Fixed session double hooking in edge case - Added additional crash protection for PHP's session module 2007-03-04 - 0.9.17 - Added a suhosin.ini example configuration Thanks to Mandriva Linux for supplying us with one - Added new logging device: file - Fixed that suhosin.filter.action did not affect POST limits - Fixed behaviour of request variable limit to be an upper limit for the other settings instead of being additive limit - Fixed hard_memory_limit bypass due to casting bug in PHP Problem was found by: Ilia Alshanetsky - Fixed some sql prefix/postfix problems - Added experimental SQL injection heuristic 2006-12-02 - 0.9.16 - Added suhosin.stealth which controls if suhosin loads in stealth mode when it is not the only zend_extension (Required for full compatibility with certain encoders that consider open source untrusted. e.g. ionCube, Zend) - Activate suhosin.stealth by default - Fixed that Suhosin tries handling functions disabled by disable_function. In v0.9.15 it was impossible to disable phpinfo() with disable_function. Problem was found by: Thorsten Schifferdecker 2006-11-28 - 0.9.15 - Added a transparent protection for open phpinfo() pages by adding an HTML META ROBOTS tag to the output that forbids indexing and archiving 2006-11-22 - 0.9.14 - Drop wrongly decrypted cookies instead of leaving them empty - Fix another problem with urlencoded cookie names - Fix compilation problem with PHP4 - Added better regression to the release process to stop compilation and missing symbol problems 2006-11-20 - 0.9.13 - More compatible support for ap_php_snprintf() for old PHP - Changed phpinfo() output to put suhosin logo into a data: URL for Opera and Gecko based browsers when expose_php=off 2006-11-14 - 0.9.12 - Adding ap_php_snprintf() when compiling against PHP 4.3.9 - Added suhosin.protectkey to remove cryptkeys from phpinfo() output - Disabled suhosin.cookie.encrypt in default install - Fixed static compilation against PHP 5.2.0 2006-11-06 - 0.9.11 - Fixed input filter for simulation mode 2006-10-26 - 0.9.10 - Fixed ZTS compile problem in new code - Fixed PHP4 compile problem in new code 2006-10-25 - 0.9.9 - Fixed mail() protection that failed to detect some injected headers - Fixed cookie decryption to not potentially trash apache memory - Fixed cookie enctyption to handle url encoded names correctly - Added suhosin.cookie/session.checkraddr - Added suhosin.cookie.cryptlist - Added suhosin.cookie.plainlist - Added suhosin_encrypt_cookie function for JS - Added suhosin_get_raw_cookies function - Changed dropped variable error messages 2006-10-08 - 0.9.8 - Fixed a PHP4 ZTS compile problem 2006-10-08 - 0.9.7 - Moved input handler hooking to a later place to ensure better compatibility with 3rd party extensions - Fixed a problem with overlong mail headers in mail protection - Fixed a problem with empty log/verification script names - Fixed a PHP4 compile problem with old gcc/in ZTS mode - Added mbregex.h from PHP4 to solve compile problems on systesm with broken header installations 2006-10-02 - 0.9.6 - Disallow symlink() when open_basedir (activated by default) - Fix a problem with compilation in Visual Studio 2006-09-29 - 0.9.5 - Added missing logo file - Added suhosin.apc_bug_workaround flag to enable compatibility with buggy APC 3.0.12x 2006-09-29 - 0.9.4 - Added version number and logo to phpinfo() output - Fixed that all uploaded files are dropped after a single one was disallowed - Added undocumented suhosin.coredump flag to tell suhosin to dump core instead of logging S_MEMORY events - Disable handling of rfc1867 mbstring decoding 2006-09-24 - 0.9.3 - Added protection against endless recursion for suhosin.log.phpscript - Added possibility to disable open_basedir and safe_mode for suhosin.log.phpscript - Added suhosin.executor.include.max_traversal to stop directory traversal includes 2006-09-19 - 0.9.2 - Fixes broken rfc1867 fileupload hook - Changed definition of binary to: 0..31, 128..255 except whitespace - Added suhosin.log.phpscript(.name) directive to log to a PHP script 2006-09-16 - 0.9.1 - A bunch of changes to compile and work on Windows 2006-09-09 - BETA - Added decryption of HTTP_COOKIE - Fixed a last problem in suhosin_strcasestr() helper function 2006-09-08 - BETA - Fixed a problem within suhosin_strcasestr() because it broke URL checks 2006-09-07 - BETA - CVS version of PHP 5.2.0 was changed to support incasesensitive URLs, support for this in suhosin added - Fixed a problem when preg_replace() was called with more than 4 parameters