In the spirit of the Month of PHP Bugs going on right now (March 2007), Justin Silverton has spotlighted just a few of them in a new entry to the JSLabs blog today.
He mentions issues like:
- a header() issue that results from a call to it with an all-whitespace string
- a session issue in PHP5 where an identifier isn't freed correctly
- and an issue with the compress.bzip2 URL wrapper not following safe_mode or open_basedir restrictions (already corrected).
These are just a few of the bugs that have been reported during the month-long event, so check out php-security.org
. He also points to the Suhosin patch
that can help alleviate some of these issues.