Changelog

2016-xx-xx - 0.9.39dev2
    - some improvements for Windows (NewEraCracker)
    - fixes for test cases (NewEraCracker)
    - new feature: suhosin.log.max_error_length to limit the error output
    - fixed function_exists wrapper to ignore backslash-prefixes (#92)
    - backport of PHP bug 71152: mt_rand() returns the different values from original mt19937ar.c
    - removed dead code
    - better debian integration
    - fixed perdir checks
    - merged PHP changes to RFC1867 code

2015-05-21 - 0.9.38
    - removed code compatibility for PHP <5.4 (lots of code + ifdefs)
    - allow https location for suhosin.filter.action
    - fixed newline detection for suhosin.mail.protect
    - Added suhosin.upload.max_newlines to protect againt DOS attack via many 
      MIME headers in RFC1867 uploads (CVE-2015-4024)
    - mail related test cases now work on linux

2014-12-12 - 0.9.37.1
    - Changed version string to 0.9.37.1 (without -dev)
    - Relaxed array index blacklist (removed '-') due to wordpress incompatibility

2014-12-03 - 0.9.37

    - Added SQL injection protection for Mysqli and several test cases
    - Added wildcard matching for SQL username
    - Added check for SQL username to only contain valid characters (>= ASCII 32)
    - Test cases for user_prefix and user_postfix
    - Added experimental PDO support
    - SQL checks other than mysql (Mysqli + old-style) must be enabled with
      configure --enable-suhosin-experimental, e.g. MSSQL.
    - disallow_ws now matches all single-byte whitespace characters
    - remove_binary and disallow_binary now optionally allow UTF-8.
    - Introduced suhosin.upload.allow_utf8 (experimental)
    - Reimplemented suhosin_get_raw_cookies()
    - Fixed potential segfault for disable_display_errors=fail (only on ARM)
    - Fixed potential NULL-pointer dereference with func.blacklist and logging
    - Logging timestamps are localtime instead of gmt now (thanks to mkrokos)
    - Added new array index filter (character whitelist/blacklist)
    - Set default array index blacklist to '"+-<>;()
    - Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0)
    - Added simple script to create binary Debian package
    - Fixed additional recursion problems with session handler
    - Suhosin now depends on php_session.h instead of version-specific struct code

2014-06-10 - 0.9.36

    - Added better handling of non existing/non executable shell scripts
    - Added protection against XSS/SQL/Other Injections through User-Agent HTTP header
    - Fix variable logging statistics outputting on every include - ticket: #37
    - Added more entropy from /dev/urandom to internal random seeding (64 bit => 256 bit)
    - Added non initialized stack variables to random seeding
    - Added php_win32_get_random_bytes for windows compatibility in random seeding
    - Added suhosin.rand.seedingkey for INI supplied additional entropy string (idea DavisNT)
    - Added suhosin.rand.reseed_every_request to allow reseeding on every request (idea DavisNT)
    - Changed that calls to srand() / mt_srand() will trigger auto reseeding (idea DavisNT)
    - Fixed problems with SessionHandler() class and endless recursions
    - Added LICENSE file to make distributions happy

2014-02-24 - 0.9.35

    - From now only PHP >= 5.4 is officially supported
    - Fix problems with the hard memory_limit on 64 bit systems
    - Fix problems with user space session handler due to change in PHP 5.4.0
    - Add changes in PHP 5.5 session handlers structures for PHP 5.5 compability
    - Fix std post handler for PHP >= 5.3.11
    - Fix suhosin logo in phpinfo() for PHP 5.5
    - Change fileupload handling for PHP >= 5.4.0 to use an up to date RFC1867 replacement code
    - Adapted suhosin to PHP 5.5 executor
    - Added some test cases for various things
    - Added suhosin.log.stdout to log to stdout (for debugging purposes only)
    - Add ini_set() fail mode to suhosin.disable.display_errors
    - Fix suhosin.get/post/cookie.max_totalname_length filter
    - Refactor array index handling in filter to make it work always
    - Added support for PHP 5.6.0alpha2
    - WARNING: FUNCTION WHITELISTS/BLACKLISTS NEVER WORKED CORRECTLY WITH PHP < 5.5

2012-02-12 - 0.9.34

    - Added initial support for PHP 5.4.0
    - Fix include whitelist and blacklist to support shemes with dots in their names
    - Fix read after efree() that lets function_exists() malfunction
    - Fix build with clang compiler
    - Added a request variable drop statistic log message

2012-01-19 - 0.9.33

    - Make clear that suhosin is incompatible to mbstring.encoding_translation=On
    - Stop mbstring extension from replacing POST handlers
    - Added detection of extensions manipulating POST handlers
    - Fixed environment variables for logging do not go through the filter extension anymore
    - Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
    - Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
    - Removed crypt() support - because not used for PHP >= 5.3.0 anyway

2010-07-23 - 0.9.32.1

    - Fixed missing header file resulting in compile errors

2010-07-23 - 0.9.32

    - Added support for memory_limit > 2GB
    - Fixed missing header file resulting in wrong php_combined_lcg() prototype being used
    - Improved random number seed generation more by adding /dev/urandom juice

2010-03-28 - 0.9.31

    - Fix ZTS build of session.c
    - Increased session identifier entropy by using /dev/urandom if available

2010-03-25 - 0.9.30

    - Added line ending characters %0a and %0d to the list of dangerous characters handled
      by suhosin.server.encode and suhosin.server.strip
    - Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct)
    - Added ! protection to PHP session serializer
    - Fixed simulation mode now also affects (dis)allowed functions
    - Fixed missing return (1); in random number generator replacements
    - Fixed random number generator replacement error case behaviour in PHP 5.3.x
    - Fixed error case handling in function_exists() PHP 5.3.x
    - Merged changes/fixes in import_request_variables()/extract() from upstream PHP
    - Fixed suhosin_header_handler to be PHP 5.3.x compatible
    - Merge fixes and new features of PHP's file upload code to suhosin

2009-08-15 - 0.9.29

    - Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
    - Added more compatible way to retrieve ext/session globals
    - Increased default length and count limit for POST variables (for people not reading docu)

2009-08-14 - 0.9.28

    - Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session
    - Fixed harmless parameter order error in a bogus memset()
    - Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features"
    - Added suhosin.executor.include.allow_writable_files which can be disabled to disallow 
      inclusion of files writable by the webserver

2008-08-23 - 0.9.27

    - Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading

2008-08-22 - 0.9.26

    - Fixed problem with suhosin.perdir
      Thanks to Hosteurope for tracking this down
    - Fixed problems with ext/uploadprogress
      Reported by: Christian Stocker
    - Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
    - Modified rand()/srand() to use the Mersenne Twister algorithm with separate state 
    - Added better internal seeding of rand() and mt_rand()
    
2008-08-06 - 0.9.25

    - Fixed PHP 4 compilation problem introduced in 0.9.24
    - Fixed PHP 5.3 compilation problem
    - Changed PHP default POST handler to PHP's current handler

2008-05-10 - 0.9.24

    - Added support for method-calls to function handling
    - This fixes white- and blacklist affecting methods with the same name

2008-01-14 - 0.9.23

    - Fixed suhosin extension now compiles with snapshots of PHP 5.3
    - Fixed crypt() behaves like normal again when there is no salt supplied

2007-12-01 - 0.9.22

    - Removed LFS warning message because it crashed on several systems

2007-11-30 - 0.9.21

    - Fixed function_exists() now checks the Suhosin permissions
    - Fixed crypt() salt no longer uses Blowfish by default
    - Fixed .htaccess/perdir support
    - Fixed compilation problem on OS/X
    - Added protection against some attacks through _SERVER variables
    - Added suhosin.server.strip and suhosin.server.encode
    - Added error message that warns about the LFS binary incompatibility
    
2007-05-19 - 0.9.20

    - Added protection flags against whitespace at variable start
    - Added mutex around crypt() to close the PHP crypt() 
      thread safety vulnerability class
    - Improved HTTP Response Splitting Protection
    - Changed default maximum array depth to 50 for GPCR
    - Fixed possible endless loop in file logging
    - Fixed file locking in file logging

2007-05-01 - 0.9.19

    - Fixed typo in HTTP header protection (only during simulation mode)
      Reported by: Ilia Alshanetsky
    - Fixed wrong \0 termination in cookie decryptor
    - Fixed possible crash in SERVER variables protection when SAPI=embedded
      Fix provided by: Olivier Blin/Mandriva Linux
    - Added possibility to en-/disable INI_PERDIR
      Problem reported by: Ilia Alshanetsky
    - Added PHP Warning when disabled function is called
    - Added examples for new configuration option in suhosin.ini

2007-03-06 - 0.9.18

    - Fixed session double hooking in edge case
    - Added additional crash protection for PHP's session module

2007-03-04 - 0.9.17

    - Added a suhosin.ini example configuration 
      Thanks to Mandriva Linux for supplying us with one
    - Added new logging device: file
    - Fixed that suhosin.filter.action did not affect POST limits
    - Fixed behaviour of request variable limit to be an upper limit
      for the other settings instead of being additive limit
    - Fixed hard_memory_limit bypass due to casting bug in PHP 
      Problem was found by: Ilia Alshanetsky
    - Fixed some sql prefix/postfix problems
    - Added experimental SQL injection heuristic

2006-12-02 - 0.9.16

    - Added suhosin.stealth which controls if suhosin loads in
      stealth mode when it is not the only zend_extension
      (Required for full compatibility with certain encoders 
       that consider open source untrusted. e.g. ionCube, Zend)
    - Activate suhosin.stealth by default
    - Fixed that Suhosin tries handling functions disabled by
      disable_function. In v0.9.15 it was impossible to disable
      phpinfo() with disable_function.
      Problem was found by: Thorsten Schifferdecker
    
2006-11-28 - 0.9.15

    - Added a transparent protection for open phpinfo() pages by
      adding an HTML META ROBOTS tag to the output that forbids 
      indexing and archiving

2006-11-22 - 0.9.14

    - Drop wrongly decrypted cookies instead of leaving them empty
    - Fix another problem with urlencoded cookie names
    - Fix compilation problem with PHP4
    - Added better regression to the release process to stop 
      compilation and missing symbol problems

2006-11-20 - 0.9.13

    - More compatible support for ap_php_snprintf() for old PHP
    - Changed phpinfo() output to put suhosin logo into a data: URL
      for Opera and Gecko based browsers when expose_php=off
    
2006-11-14 - 0.9.12

    - Adding ap_php_snprintf() when compiling against PHP 4.3.9
    - Added suhosin.protectkey to remove cryptkeys from phpinfo() output
    - Disabled suhosin.cookie.encrypt in default install
    - Fixed static compilation against PHP 5.2.0

2006-11-06 - 0.9.11
    
    - Fixed input filter for simulation mode 

2006-10-26 - 0.9.10

    - Fixed ZTS compile problem in new code
    - Fixed PHP4 compile problem in new code

2006-10-25 - 0.9.9

    - Fixed mail() protection that failed to detect some injected headers
    - Fixed cookie decryption to not potentially trash apache memory
    - Fixed cookie enctyption to handle url encoded names correctly
    - Added suhosin.cookie/session.checkraddr
    - Added suhosin.cookie.cryptlist
    - Added suhosin.cookie.plainlist
    - Added suhosin_encrypt_cookie function for JS
    - Added suhosin_get_raw_cookies function
    - Changed dropped variable error messages
    
2006-10-08 - 0.9.8
     
    - Fixed a PHP4 ZTS compile problem

2006-10-08 - 0.9.7

    - Moved input handler hooking to a later place to ensure better compatibility
      with 3rd party extensions
    - Fixed a problem with overlong mail headers in mail protection
    - Fixed a problem with empty log/verification script names
    - Fixed a PHP4 compile problem with old gcc/in ZTS mode
    - Added mbregex.h from PHP4 to solve compile problems on systesm with broken
      header installations

2006-10-02 - 0.9.6

    - Disallow symlink() when open_basedir (activated by default)
    - Fix a problem with compilation in Visual Studio

2006-09-29 - 0.9.5

    - Added missing logo file
    - Added suhosin.apc_bug_workaround flag to enable compatibility with buggy APC 3.0.12x

2006-09-29 - 0.9.4

    - Added version number and logo to phpinfo() output
    - Fixed that all uploaded files are dropped after a single one was disallowed
    - Added undocumented suhosin.coredump flag to tell suhosin to dump core instead
      of logging S_MEMORY events
    - Disable handling of rfc1867 mbstring decoding

2006-09-24 - 0.9.3

    - Added protection against endless recursion for suhosin.log.phpscript
    - Added possibility to disable open_basedir and safe_mode for suhosin.log.phpscript
    - Added suhosin.executor.include.max_traversal to stop directory traversal includes

2006-09-19 - 0.9.2

    - Fixes broken rfc1867 fileupload hook
    - Changed definition of binary to: 0..31, 128..255 except whitespace
    - Added suhosin.log.phpscript(.name) directive to log to a PHP script
	
2006-09-16 - 0.9.1

    - A bunch of changes to compile and work on Windows

2006-09-09 - BETA

    - Added decryption of HTTP_COOKIE
    - Fixed a last problem in suhosin_strcasestr() helper function

2006-09-08 - BETA

    - Fixed a problem within suhosin_strcasestr() because it broke 
      URL checks

2006-09-07 - BETA

    - CVS version of PHP 5.2.0 was changed to support incasesensitive 
      URLs, support for this in suhosin added
    - Fixed a problem when preg_replace() was called with more than
      4 parameters