On 11/04/2013 5:40 AM, Bob Proulx wrote: > What I have read (caution unverified) is that the PHP interpreter > isn't intrinsically insecure. It only becomes that way when used with > insecure php code. Which makes sense. Any upstream interpreter > vulnerability would have a CVE number associated with it that would be > tracked. I see people calling for those reports but none are being > provided for any current vulnerabilities. Yes, but insecure code is so easy to make and even the so called experts are making them. There is even an O'Reilly book that has wrong information that is leading programmers astray. The protections provided by Suhosin in the past may _always_ be required and necessary. It's not as bad as 95% of people running Java are using older versions that are known to be exploitable, but there is plenty of exploitable PHP code -- some may remain for years on non-patched servers, but new and properly patched servers shouldn't be part of the problem. PHP needs to, upstream, make sure that programming flaws cannot be exploited and that is what Suhosin aims to achieve. Bad code will be there, we need to be protected from it one way or another. Cheers A.
Description: OpenPGP digital signature