PHP 5.2.0 brings security fixes and new functions
The new version 5.2.0 of the open source script language PHP doesn't just replace the 5.1 series, it also closes several security holes. The developers have also incorporated new functions to increase security and improve usability.
The new allow_url_include option controls whether includes may contain URLs or not; by default URLs are forbidden. The PostgreSQL and PDO expansions now check the character sets whenever possible. The safe_mode and open_basedir settings are also checked by PHP 5.2.0 in the cURL function. Overflows on 64-bit systems in the sstr_repeat() and wordwrap()tr_repeat() functions were also removed. It is no longer possible to detour around the PHP settings through the ini_restore() function.
Stefan Esser also reported on vulnerabilities in the htmlspecialchars() and htmlentities() functions through which attackers could provoke buffer overflows. Because the PHP functions filter user input prior to output in HTML pages, they are a constant presence in PHP applications and hence must be viewed as particularly critical. This leak in PHP 5.1.6 and previous versions is also closed in the 5.2.0 version. This bug is confirmed for PHP 4.4.4 as well and previous versions. Unfortunately there are currently no official updates für PHP4 available. However some Linux distributors offer updated packages.
The developers also included non-security related improvements to PHP 5.2.0. The Zend engine received a new memory manager aimed at improving speed. The new memory manager also has the side benefit of closing a vulnerability in the unserialize() function. New expansions are intended to improve usability, such as PHP's new default support for input filtering and ZIP. With the JSON extension, data and objects in PHP notation can be transferred into Java Object Notation. Also new are Data and DateTime objects. The libraries delivered together with PHP are also included in updated form.
The programmers report that they have removed some 200 additional flaws in all and generally improved performance. Through an announcement of the new version on the project homepage, PHP's developers advise users to make the switch to PHP 5.2.0 as soon as possible.
- Release notes with changelog for PHP 5.2.0
- PHP HTML Entity Encoder Heap Overflow Vulnerability, security advisory from Stefan Esser