Suhosin comes back from the dead, bringing security to newest PHP versions
While everyone has been distracted admiring PHP-NG, a great PHP project has quietly come back from the dead – Suhosin !
Suhosin is a well regarded security extension for PHP by Stefan Esser that had stopped getting updates after PHP 5.3. Perhaps it was due to more dramatic internal changes to the PHP core with 5.4 making it difficult to keep up. Linux distributions such as Debian that added Suhosin seeing its value, dropped it after updates stopped. Suhosin only worked up to PHP 5.3 – until now.
Suhosin can do neat tricks like disable EVAL and the regex /e modifier in PHP which the core of PHP cannot do by itself (or more accurately the core developers refuse to address). Suhosin also has many other options to help make PHP safer to use in a shared environment or where a server might be running a great deal of third-party code (ie. WordPress/plugins).
So, dead for years, suddenly in February 2014, Suhosin was quietly updated with this note:
From now only PHP >= 5.4 is officially supported
and then proceeded to post several fixes to make it work with not only PHP 5.5 but 5.6 alpha as well. They even added an extremely well documented ini file with all the options.
Now there are updates as recent as June and there also appears to be another person associated with the project, Ben Fuhrmannek, so maybe fresh blood is helping to renew and keep it going. They both work at SektionEins, a computer security firm in Germany.
Compiling and running the Suhosin extension against php 5.6 seems to work well.
I would like to strongly encourage everyone to donate to Suhosin to keep Stefan’s interest and motivation going in this important work. His paypal link can be found at the bottom of the Suhosin front page.