Re: wheezy still missing php5-suhosin
On 11/04/2013 6:11 PM, Joe wrote:
> A working commercial PHP programmer probably could, but I'm not sure it
> would help. PHP is a programming language, running on a web server,
> which needs to access the server's databases, drives, memory etc.
> There's no way it can be made secure, any more than C++ could be
> redesigned to prevent programmers making off-by-one errors, for
> example. The sword either has two edges or none.
If data is passed via forms or via GET or POST and that data isn't
properly handled by php itself, then it may produce a buffer overrun
situation ... possibly before the data gets passed through to the
webpage code; if this can be fixed by an extension or hardening patch,
then great, if not, then we are in trouble. Once data gets past php
handling and into variables, it becomes the programmer's responsibility
to validate the inputs and make sure that there is no data injection or
other misuse issue.
> Early PHP implementations had insecure features for lazy programmers,
> for example allowing HTTP form parameters to be used directly as
> variables in programs, rather than obtaining their values and checking
> them before storing the checked and interpreted values in program
> variables. Because so much software uses this very dangerous 'feature',
> it must be retained, but it is normally disabled by default. Suhosin,
> among many other things, will warn about this feature being enabled, or
> turn it off if so configured. Later and later versions of PHP have
> become much stricter in many ways, and have offered features like
> Perl's optional variable discipline, so many of the Suhosin features are
> no longer required. Not only that, but Suhosin will warn about things
> which are now (mostly) safe to do.
> It's not so much that PHP itself is a problem, but that PHP software
> on public web servers is completely exposed to any and every kind of
> attack, and that programmers need to be extremely disciplined to write
> secure code. You can assist with this kind of discipline in writing a
> programming language, but you can't enforce it. If the group of PHP
> programmers for a particular web server were to read the Suhosin
> specification, and write all their code so as not to activate any of
> its protections, then that in itelf would help enormously in securing
> the server. Having Suhosin actually installed will also catch their
> mistakes. But as stated, Suhosin has not been well maintained and many
> of its features have become subsumed into PHP itself or have become
> actively irritating or obstructive, so currently in Wheezy it is seen as
> more of a liability than an asset. It was dropped from Sid long ago, of
> course, before Wheezy had frozen, but then you wouldn't run a public
> web server on Sid.
I would like to know that everything that was providing protection via
Suhosin has been incorporated into PHP core, that would be the most
logical way to deal with the problem, rather than having 3rd party
patches and extensions.
Actually it does appear to still be in SID: