PHP 5.2.5 发布

PHP5研究室 2007年11月11日 06:48 查看7085次 作者: esayr  【
文章分类:PHP5研究[新]

  PHP开发小组日前发布了PHP 5.2.5,该版本主要用于改进PHP 5.2.x系列的稳定性,修正了超过60个bug,其中包括一些安全漏洞。官方推荐用户升级到该版本。

  更多关于PHP 5.2.5信息,可以参见PHP 5.2.5发行公告,也可在PHP 5更新列表中查看详细的升级信息。

PHP 5.2.5的主要改进如下:
  • 限制dl()函数,使其只能接受文件名
  • 限制dl()函数参数的最大长度为MAXPATHLEN
  • 修正了htmlentities/htmlspecialchars不接受不完整的多字节数据串的缺陷
  • 修正了fnmatch()、setlocale()、glob()函数中的glibc实现可能存在的缓冲溢出漏洞
  • 修正了php.ini的mail.force_extra_parameters指令不受.htaccess控制的缺陷
  • 修正了当会话ID以非本地形式添加时的自动插入缺陷
  • 修正了在httpd.conf中通过php_admin_*设置的值可能被ini_set()函数覆盖的缺陷

  对于从PHP 5.0和PHP 5.1升级到PHP 5.2的用户来说,可参见这份升级指南,它讲述了PHP 5.2相对于其它版本来说的重大变更



原文:

[08-Nov-2007]

The PHP development team would like to announce the immediate availability of PHP 5.2.5. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.

Further details about the PHP 5.2.5 release can be found in the release announcement for 5.2.5, the full list of changes is available in the ChangeLog for PHP 5.

Security Enhancements and Fixes in PHP 5.2.5:

  • Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
  • Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
  • Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
  • Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
  • Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
  • Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
  • Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.5.

责任编辑:esayr

给文章打分...

平均分:0.5(45 次)

-5 -4 -3 -2 -1 0 1 2 3 4 5
2

顶一下

发表我的见解...

  • 您的大名: 留空为匿名
  • 您的主页:
  • 您的邮箱: