没有Suhosin的php 5.4是安全的吗? [英] Is php 5.4 safe without Suhosin?

问题描述

我目前正在开发PHP CMF，该CMF最终将在市场上出售，我想使用特征.但是，问题在于特征是PHP 5.4的功能，显然流行的Suhosin安全补丁与PHP 5.4不兼容.

I'm currently working on developing a PHP CMF which will eventually be commercially available and I want to use traits. The problem however is that traits are a PHP 5.4 feature and apparently the popular Suhosin security patch isn't compatible with PHP 5.4.

所以我的问题是这样:在没有Suhosin安全补丁的情况下运行PHP网站是否安全?如果没有，我将使用我的CMF留下自己和其他人哪些漏洞?

So my question is this: is it safe to run a PHP website without the Suhosin security patch? If not, what vulnerabilities would I be leaving myself and other people using my CMF open to?

注意:我不关心共享托管.预计使用我的CMF的任何人都将对其Web服务器具有管理控制权.

Note: I'm not concerned about shared hosting. It's expected that anyone using my CMF would have administrative control over their web server.

推荐答案

Suhosin是一个PHP强化补丁.它没有修补任何明显的安全漏洞，只是使PHP脚本中的某些漏洞更难以利用.

Suhosin was a PHP hardening patch. It did not patch any explicit security vulnerabilities -- it merely made some vulnerabilities in PHP scripts more difficult to exploit.

Suhosin所做的某些更改最终被卷入PHP.例如，PHP 5.3.4使得Suhosin无需针对输入中的空字节进行各种保护，这使得文件名中的空字节始终会引发错误(而不是默默地将文件名截断为空字节).

Some of the changes which Suhosin made were eventually rolled into PHP. For instance, Suhosin's various layers of protection against null bytes in inputs were made unnecessary by PHP 5.3.4, which made null bytes in filenames always throw an error (rather than silently truncating the filename at the null byte).

在没有Suhosin参与的情况下，PHP 5.4通常被认为是相当安全的.展望未来，只要您的应用程序支持它，最好使用新的(5.4+)版本的PHP，而不是带有Suhosin补丁的旧版本.

PHP 5.4 is generally regarded to be reasonably safe without Suhosin involved. Going forward, so long as your application supports it, you will be better off with a newer (5.4+) version of PHP, rather than an older version with the Suhosin patch.

这篇关于没有Suhosin的php 5.4是安全的吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！