About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

PHP Security Announcements

I've been asked about the "security issues" that prompted the release of PHP versions 4.3.0 and 5.0.3 enough times to warrant blogging about it. I understand the concern - you visit php.net and see:

The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues.

Very serious security issues? That sounds "very serious." You read the PHP 5 ChangeLog (or maybe the PHP 4 one) and see a big list of changes. At most, you can identify two changes that might be security fixes:

  • Fixed potential problems with unserializing invalid serialize data.
  • Fixed a bug in addslashes() handling of the '\0' character.

Luckily, better information is available:

Update: Ilia points out the 4.3.10 release notes, which have more information.

About this post

PHP Security Announcements was posted on Mon, 20 Dec 2004. If you liked it, follow me on Twitter or share:


1.Davey said:

I actually found that the Annoucement on php-announce ML had all the information on the security risks.

See here: http://news.php.net/php.announce/54

Mon, 20 Dec 2004 at 06:20:09 GMT Link

2.Aaron Wormus said:

That addslashes problem looks like the same thing they fixed for strip_tags() way back in June... you'd think the QA process would catch these things.

Mon, 20 Dec 2004 at 06:51:41 GMT Link

3.Ilia Alshanetsky said:

The release announcement which was sent via e-mail and published on PHP.net website (http://www.php.net/release_4_3_10.php) clearly outlines the main security problems.

Mon, 20 Dec 2004 at 14:02:48 GMT Link

4.Chris Shiflett said:

Thanks, Ilia.

Mon, 20 Dec 2004 at 16:00:03 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.