Permalink
Browse files

Inital commit

  • Loading branch information...
0 parents commit 36dbfacbe64697d959f524e537b15b73c090d898 Stefan Esser committed Feb 21, 2010
Showing with 13,967 additions and 0 deletions.
  1. +2 −0 CREDITS
  2. +223 −0 Changelog
  3. +382 −0 aes.c
  4. +1,001 −0 compat_snprintf.c
  5. +9 −0 config.m4
  6. +11 −0 config.w32
  7. +214 −0 crypt.c
  8. +751 −0 crypt_blowfish.c
  9. +163 −0 crypt_md5.c
  10. +37 −0 crypt_md5.h
  11. +355 −0 crypt_win32.c
  12. +60 −0 crypt_win32.h
  13. +450 −0 ex_imp.c
  14. +1,750 −0 execute.c
  15. +353 −0 header.c
  16. +732 −0 ifilter.c
  17. +404 −0 log.c
  18. +26 −0 mbregex.h
  19. +515 −0 mbregex/COPYING.LIB
  20. +213 −0 mbregex/mbregex.h
  21. +90 −0 memory_limit.c
  22. +420 −0 php_suhosin.h
  23. +114 −0 post_handler.c
  24. +1,355 −0 rfc1867.c
  25. +714 −0 session.c
  26. +432 −0 sha256.c
  27. +38 −0 sha256.h
  28. +1,248 −0 suhosin.c
  29. +444 −0 suhosin.ini
  30. +180 −0 suhosin_logo.h
  31. +88 −0 suhosin_rfc1867.h
  32. +3 −0 tests/empty.inc
  33. +18 −0 tests/executor/disable_emod_off.phpt
  34. +19 −0 tests/executor/disable_emod_on.phpt
  35. +15 −0 tests/executor/disable_eval_off.phpt
  36. +17 −0 tests/executor/disable_eval_on.phpt
  37. +29 −0 tests/executor/memory_limit.phpt
  38. +28 −0 tests/executor/memory_limit_other_hardlimit.phpt
  39. +18 −0 tests/executor/negative_memory_limit.phpt
  40. +30 −0 tests/executor/preg_replace.phpt
  41. +32 −0 tests/executor/preg_replace_error.phpt
  42. +31 −0 tests/executor/recursion_maxdepth.phpt
  43. +24 −0 tests/filter/get_globals.phpt
  44. +13 −0 tests/funcs/crypt_blowfish.phpt
  45. +12 −0 tests/funcs/crypt_ext_des.phpt
  46. +11 −0 tests/funcs/crypt_md5.phpt
  47. +11 −0 tests/funcs/crypt_std_des.phpt
  48. +40 −0 tests/funcs/sha256.phpt
  49. +17 −0 tests/include/include_constant.phpt
  50. +23 −0 tests/include/include_etc_passwd.phpt
  51. +17 −0 tests/include/include_once_constant.phpt
  52. +19 −0 tests/include/include_once_tmpvar.phpt
  53. +18 −0 tests/include/include_once_var.phpt
  54. +19 −0 tests/include/include_tmpvar.phpt
  55. +18 −0 tests/include/include_var.phpt
  56. +17 −0 tests/include/require_constant.phpt
  57. +17 −0 tests/include/require_once_constant.phpt
  58. +19 −0 tests/include/require_once_tmpvar.phpt
  59. +18 −0 tests/include/require_once_var.phpt
  60. +19 −0 tests/include/require_tmpvar.phpt
  61. +18 −0 tests/include/require_var.phpt
  62. +4 −0 tests/skipif.inc
  63. +8 −0 tests/skipifcli.inc
  64. +8 −0 tests/skipifnotcli.inc
  65. +216 −0 treat_data.c
  66. +367 −0 ufilter.c
@@ -0,0 +1,2 @@
+suhosin
+Stefan Esser
223 Changelog
@@ -0,0 +1,223 @@
+2009-08-15 - 0.9.29
+
+ - Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
+ - Added more compatible way to retrieve ext/session globals
+ - Increased default length and count limit for POST variables (for people not reading docu)
+
+2009-08-14 - 0.9.28
+
+ - Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session
+ - Fixed harmless parameter order error in a bogus memset()
+ - Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features"
+ - Added suhosin.executor.include.allow_writable_files which can be disabled to disallow
+ inclusion of files writable by the webserver
+
+2008-08-23 - 0.9.27
+
+ - Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading
+
+2008-08-22 - 0.9.26
+
+ - Fixed problem with suhosin.perdir
+ Thanks to Hosteurope for tracking this down
+ - Fixed problems with ext/uploadprogress
+ Reported by: Christian Stocker
+ - Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
+ - Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
+ - Added better internal seeding of rand() and mt_rand()
+
+2008-08-06 - 0.9.25
+
+ - Fixed PHP 4 compilation problem introduced in 0.9.24
+ - Fixed PHP 5.3 compilation problem
+ - Changed PHP default POST handler to PHP's current handler
+
+2008-05-10 - 0.9.24
+
+ - Added support for method-calls to function handling
+ - This fixes white- and blacklist affecting methods with the same name
+
+2008-01-14 - 0.9.23
+
+ - Fixed suhosin extension now compiles with snapshots of PHP 5.3
+ - Fixed crypt() behaves like normal again when there is no salt supplied
+
+2007-12-01 - 0.9.22
+
+ - Removed LFS warning message because it crashed on several systems
+
+2007-11-30 - 0.9.21
+
+ - Fixed function_exists() now checks the Suhosin permissions
+ - Fixed crypt() salt no longer uses Blowfish by default
+ - Fixed .htaccess/perdir support
+ - Fixed compilation problem on OS/X
+ - Added protection against some attacks through _SERVER variables
+ - Added suhosin.server.strip and suhosin.server.encode
+ - Added error message that warns about the LFS binary incompatibility
+
+2007-05-19 - 0.9.20
+
+ - Added protection flags against whitespace at variable start
+ - Added mutex around crypt() to close the PHP crypt()
+ thread safety vulnerability class
+ - Improved HTTP Response Splitting Protection
+ - Changed default maximum array depth to 50 for GPCR
+ - Fixed possible endless loop in file logging
+ - Fixed file locking in file logging
+
+2007-05-01 - 0.9.19
+
+ - Fixed typo in HTTP header protection (only during simulation mode)
+ Reported by: Ilia Alshanetsky
+ - Fixed wrong \0 termination in cookie decryptor
+ - Fixed possible crash in SERVER variables protection when SAPI=embedded
+ Fix provided by: Olivier Blin/Mandriva Linux
+ - Added possibility to en-/disable INI_PERDIR
+ Problem reported by: Ilia Alshanetsky
+ - Added PHP Warning when disabled function is called
+ - Added examples for new configuration option in suhosin.ini
+
+2007-03-06 - 0.9.18
+
+ - Fixed session double hooking in edge case
+ - Added additional crash protection for PHP's session module
+
+2007-03-04 - 0.9.17
+
+ - Added a suhosin.ini example configuration
+ Thanks to Mandriva Linux for supplying us with one
+ - Added new logging device: file
+ - Fixed that suhosin.filter.action did not affect POST limits
+ - Fixed behaviour of request variable limit to be an upper limit
+ for the other settings instead of being additive limit
+ - Fixed hard_memory_limit bypass due to casting bug in PHP
+ Problem was found by: Ilia Alshanetsky
+ - Fixed some sql prefix/postfix problems
+ - Added experimental SQL injection heuristic
+
+2006-12-02 - 0.9.16
+
+ - Added suhosin.stealth which controls if suhosin loads in
+ stealth mode when it is not the only zend_extension
+ (Required for full compatibility with certain encoders
+ that consider open source untrusted. e.g. ionCube, Zend)
+ - Activate suhosin.stealth by default
+ - Fixed that Suhosin tries handling functions disabled by
+ disable_function. In v0.9.15 it was impossible to disable
+ phpinfo() with disable_function.
+ Problem was found by: Thorsten Schifferdecker
+
+2006-11-28 - 0.9.15
+
+ - Added a transparent protection for open phpinfo() pages by
+ adding an HTML META ROBOTS tag to the output that forbids
+ indexing and archiving
+
+2006-11-22 - 0.9.14
+
+ - Drop wrongly decrypted cookies instead of leaving them empty
+ - Fix another problem with urlencoded cookie names
+ - Fix compilation problem with PHP4
+ - Added better regression to the release process to stop
+ compilation and missing symbol problems
+
+2006-11-20 - 0.9.13
+
+ - More compatible support for ap_php_snprintf() for old PHP
+ - Changed phpinfo() output to put suhosin logo into a data: URL
+ for Opera and Gecko based browsers when expose_php=off
+
+2006-11-14 - 0.9.12
+
+ - Adding ap_php_snprintf() when compiling against PHP 4.3.9
+ - Added suhosin.protectkey to remove cryptkeys from phpinfo() output
+ - Disabled suhosin.cookie.encrypt in default install
+ - Fixed static compilation against PHP 5.2.0
+
+2006-11-06 - 0.9.11
+
+ - Fixed input filter for simulation mode
+
+2006-10-26 - 0.9.10
+
+ - Fixed ZTS compile problem in new code
+ - Fixed PHP4 compile problem in new code
+
+2006-10-25 - 0.9.9
+
+ - Fixed mail() protection that failed to detect some injected headers
+ - Fixed cookie decryption to not potentially trash apache memory
+ - Fixed cookie enctyption to handle url encoded names correctly
+ - Added suhosin.cookie/session.checkraddr
+ - Added suhosin.cookie.cryptlist
+ - Added suhosin.cookie.plainlist
+ - Added suhosin_encrypt_cookie function for JS
+ - Added suhosin_get_raw_cookies function
+ - Changed dropped variable error messages
+
+2006-10-08 - 0.9.8
+
+ - Fixed a PHP4 ZTS compile problem
+
+2006-10-08 - 0.9.7
+
+ - Moved input handler hooking to a later place to ensure better compatibility
+ with 3rd party extensions
+ - Fixed a problem with overlong mail headers in mail protection
+ - Fixed a problem with empty log/verification script names
+ - Fixed a PHP4 compile problem with old gcc/in ZTS mode
+ - Added mbregex.h from PHP4 to solve compile problems on systesm with broken
+ header installations
+
+2006-10-02 - 0.9.6
+
+ - Disallow symlink() when open_basedir (activated by default)
+ - Fix a problem with compilation in Visual Studio
+
+2006-09-29 - 0.9.5
+
+ - Added missing logo file
+ - Added suhosin.apc_bug_workaround flag to enable compatibility with buggy APC 3.0.12x
+
+2006-09-29 - 0.9.4
+
+ - Added version number and logo to phpinfo() output
+ - Fixed that all uploaded files are dropped after a single one was disallowed
+ - Added undocumented suhosin.coredump flag to tell suhosin to dump core instead
+ of logging S_MEMORY events
+ - Disable handling of rfc1867 mbstring decoding
+
+2006-09-24 - 0.9.3
+
+ - Added protection against endless recursion for suhosin.log.phpscript
+ - Added possibility to disable open_basedir and safe_mode for suhosin.log.phpscript
+ - Added suhosin.executor.include.max_traversal to stop directory traversal includes
+
+2006-09-19 - 0.9.2
+
+ - Fixes broken rfc1867 fileupload hook
+ - Changed definition of binary to: 0..31, 128..255 except whitespace
+ - Added suhosin.log.phpscript(.name) directive to log to a PHP script
+
+2006-09-16 - 0.9.1
+
+ - A bunch of changes to compile and work on Windows
+
+2006-09-09 - BETA
+
+ - Added decryption of HTTP_COOKIE
+ - Fixed a last problem in suhosin_strcasestr() helper function
+
+2006-09-08 - BETA
+
+ - Fixed a problem within suhosin_strcasestr() because it broke
+ URL checks
+
+2006-09-07 - BETA
+
+ - CVS version of PHP 5.2.0 was changed to support incasesensitive
+ URLs, support for this in suhosin added
+ - Fixed a problem when preg_replace() was called with more than
+ 4 parameters
+
Oops, something went wrong.

0 comments on commit 36dbfac

Please sign in to comment.