Gary
The new PHP version 5.3.4 has fixed many security vulnerabilities from Changelog.
The most noticeable one is this one:
Paths with NULL in them (foobar.txt) are now considered as invalid (CVE-2006-7243 ).
I was surprised to hear that PHP cannot tell you whether it is a PHP vulnerability or an operating system vulnerability-or even a feature edge issue-it has always been fixed. Slow, and very good at shirking responsibility. For example, PHP received a bug report in the article on FD inheritance issued by 80sec in, but he insisted that he refused to use the security file api provided by apache, instead, I wrote a set of implementations by myself. I still agree that this is an apache security problem, and I will not fix it after six years. The same is true for the parsing of php + fastcgi, which shows how bad PHP is. This PHP was a little bit of action at last, solving a legacy problem (look at the cve date ). This time, PHP hands and feet were very clean, and all PHP functions involved in file operations were checked to check whether the length of strlen (File Name) was consistent with that of the received file name variable, this ensures that the file name is not truncated. (See vc/php-src/branches/PHP_5_3/ext/standard/basic_functions.c? R1 = 305507 & r2 = 305506 & pathrev = 305507 "target = _ blank> base_functions.c and file. c) This means:
From all PHP file operations after tonight, the problem of file name NULL character truncation will be permanently solved.What are upload truncation, local truncation, Read File truncation, and so on,
Therefore, we recommend that you upgrade PHP to 5.3.4. Is there any other way to perform file truncation? This is what you know.
