HOME

TheInfoList



OR:

Suhosin (Korean 수호신, , meaning "guardian angel") is an
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
patch Patch or Patches may refer to: Arts, entertainment and media * Patch Johnson, a fictional character from ''Days of Our Lives'' * Patch (''My Little Pony''), a toy * "Patches" (Dickey Lee song), 1962 * "Patches" (Chairmen of the Board song) ...
for
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group ...
and also a PHP extension, written by the German compan
Sektion Eins
The patch and the extension are two independent parts, that can be used separately or in combination. "The goal behind Suhosin is to be a safety net that protects servers from insecure PHP coding practices." Suhosin also reduces the "attackable surface" that PHP adds to a
Web Server A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
through function whitelists, resource limits, transparent session and cookie encryption, binary content filter, logging and various other protections. This reduces the risk of deploying previously deemed unsafe PHP programs and protects against known and unknown attacks.


Features

While the original patch included several low-level memory-related hardenings, those features aren't present in the modules, but most of them have been upstreamed into PHP. * Cookies encryption: to mitigate
XSS Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
-based cookies stealing, the cookies are encrypted, so an attacker could not get their values, and they are tied to the user-agent and part of the IP address of the user, making a stolen cookie unusable by the attacker. * Inclusion protection: Uploaded and remote files can't be included, mitigating arbitrary file inclusion attacks. * Disabling common code execution vectors: the ''eval'' keyword isn't a real function in PHP, thus it can't be disabled with the ''disable_function'' directive, but Suhosin added this possibility, and also allowing to disable the infamous ''/e'' operator for the ''preg_replace'' function that can lead to arbitrary code execution. * Protection against
infinite recursion In computer programming, an infinite loop (or endless loop) is a sequence of instructions that, as written, will continue endlessly, unless an external intervention occurs ("pull the plug"). It may be intentional. Overview This differs from: * ...
: PHP has a documented behavior of yielding a segmentation fault error upon infinite recursion. Since this is a memory-safety issue, Suhosin will make the application gracefully exit once a maximum level of recursion has been met. * Granular function white/black-list: the ''disabled_function'' directive of PHP isn't granular at all, Suhosin provides a white and black-list mechanism for functions, on a per virtual-host and folder basis. * Black-list against sensitive variable names: Suhosin will drop GET, POST, COOKIE variables with global reserved variable names following names, like GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST,… * File upload hardening: Suhosin supports calling scripts upon file-upload, allowing things like automatic anti-virus scanning upon upload. It can also prevent ELF files, binary files,… * Custom actions upon violation: blocking violating variables, send a specific HTTP response code, issue a redirection or even execute another PHP script. * Extensive logging: multiple log devices, logging offending filename and the line number, the IP address of the attacker, even behind reverse proxies.


Distribution with operating systems

In some
Linux distribution A Linux distribution (often abbreviated as distro) is an operating system made from a software collection that includes the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one ...
s, notably
Debian Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of D ...
in versions up to 6.x ("Squeeze") and
Gentoo Linux Gentoo Linux (pronounced ) is a Linux distribution built using the Portage package management system. Unlike a binary software distribution, the source code is compiled locally according to the user's preferences and is often optimized for the ...
, it was shipped by default with both patch and extension. Suhosin was removed from Debian as of version 7 (Wheezy) but reappeared in the current development branch. It is activated by default in Mac OS X Server. As of PHP 5.4, openSUSE dropped the Suhosin patch, but maintains a port of the Suhosin extension. FreeBSD 10.1 maintains the Suhosin extension in its ports collection.


Development history and legacy

Suhosin was first released in 2006, and targeted PHP 5.2.0. The last release of the hardening patch happened a couple of months after the release of the module. The last news article on the official website is from 2007, and no activity occurred in the code repository from May 2012 until February 2014. This led some distributions to consider the Suhosin project dead, until some people from the community started to contribute back to it, circa 2014. There is no plan to upstream features into PHP. In November 2015,
suhosin7
' was created, to provide similar hardening features to PHP7 but failed to gain momentum among the community. Th
Snuffleupagus project
aims at being its successor, for PHP7 and onwards.


See also

*
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group ...


References


External links

*
Suhosin on GitHub
Computer security software PHP {{Security-software-stub