In response to yesterday's tip of the day on PHP security
, a number of readers wrote in to point to the minutes of a PHP developer meeting, discussing upcoming changes in PHP 6. Now PHP 6 may seem far away. But you can't start early enough to think about how to make sure project work well with it.
From a first read, I am not quite happy with the security related changes. But the document is brief and may not explain all the details. So here a few of the security related highlights.
- Dealing with Unicode. Not directly security related. But this could affect some validation functions. Overall there appears to be a global switch covering how to deal with unicode.
- register_globals is going to go away (Finally ;-) ). This option, which "way back" used to be the default, has been one of the big problems in the past.
- magic_quotes is going to go away. Not sure if I like this. 'magic_quotes' has been an issue for developers who had no control over the php configuration (e.g. shared hosting) and had to cover both cases (quotes on/off). But it has been a valuable safety net for others.
- safe_mode feature is going to be removed. Another questionable choice IMHO. The feature had problems in the past, but then again, I would rather see them fixed then have them go away.
- the SOAP extension will support more security options. But it will also be turned on by default.
- the "Hardened PHP patch" will be included (at least pieces of it. Nice!).
- looks like there will be no 'taint' mode, but there may be 'sandboxing'. The notes are a bit brief on this.
- No more '<%'. This could be an issue if your PHP code is using '<%' and will now no longer be parsed, but instead the source code will be visible.
So thats the quick summary of the (already quite brief) document. For a more detailed discussion you will likely have to check the PHP developer mailing lists. I am not that familiar with PHP politics, so I am not sure how flexible these changes are. There are PHP 6.0 development snapshots available at this point. But at least to me, PHP 5 is still quite new ;-). PHP has had a good history of supporting older versions, so there is no reason to panic quite yet.
For the full document, see Minutes PHP Devlopers Meeting
I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019