PHP 5.3.1 Released, Security Beefed Up
by Marc Plotz
January 12, 2010
|
By focusing on stability and security, the PHP team has introduced more than 100 bug fixes and tweaks to the overall framework.
|
Introduction
The PHP development team recently introduced the latest version of the new PHP 5.3 branch, PHP 5.3.1. This version essentially does not change the essential core 5.3 PHP engine, but by focusing on stability and security, the PHP team has introduced more than 100 bug fixes and tweaks to the overall framework.
Something that I find very encouraging is the PHP team's very conscious drive to empower the security features of PHP. There was a time not so long ago when PHP was considered rather unsafe for commercial purposes, but now I think that sentiment is changing and the world is becoming open to the power of PHP, as well as it's usefulness.
The most significant and security-conscious addition in PHP 5.3.1 is the inclusion of a max_file_uploads INI directive, making it possible to limit file uploads per request to 20 files by default. This is extremely important in circumventing denial of service (DoS) attacks.
If you have not heard of denial of service attacks, the basic principle is that a website gets pounded with hundreds or even thousands of requests at the same time, thus rendering the server essentially useless because all of its sources are being consumed in serving the attack. Thus, a user having unlimited upload possibilities certainly could bring a production server to its knees by constantly uploading something like one hundred files repeatedly from various machines. You could in effect have 1000 or more files being uploaded at the same time, and a slow or shared server will not handle that well at all. Even a dedicated server would struggle considerably. So, what max_file_uploads does is make sure that no more than 20 files can be uploaded at a time on that server.
Other bug fixes include missing sanity checks around EXIF (exchangeable image file format) processing, while Rasmus Lerdorf himself fixed a safe_mode bypass in tempnam(). An open_basedir bypass in posix_mkfifo() was also repaired, along with the failing safe_mode_include_dir. You can see the CHANGELOG for more details.
An Evolutionary Step Forward
If you are new to PHP 5.3, it is important to understand that this version is not simply a revision within a whole; PHP 5.3 is an important step in the evolution of PHP and something of a testing platform for PHP 6. Indeed, PHP 5.3 integrates namespaces, which itself is a major new OOP standard in the PHP arsenal, and due to be fully implemented within PHP 6.
PHP itself has been a while in the making though. What separates PHP from other languages such as C# and Java is that PHP has evolved. We all know that the original version of PHP (then called Personal Home Pages) was released in 1995 by Rasmus Lerdorf. By the time PHP reached version 3, it was already an extremely powerful procedural programming language. PHP 4 introduced rudimentary OOP implementations, and PHP 5 represents a rather stable and concise OOP model. Now, PHP 5.3 implements namespaces.
The changes implemented by the PHP development team are extremely important for PHP and the PHP community as a whole. Bringing the entire framework together as a safe and concise model of safety and power at the same time is no easy task, and should not be taken lightly. It is certainly in your best interest to get yourself running on the latest version of PHP right now (grab your copy from PHP.NET.)
Until next time...
|
