So here’s the lowdown: the PHP Foundation just dropped a fat security audit on php-src — that’s the engine behind PHP itself — and yeah, it wasn’t pretty. Some high-sev vulnerabilities were found lurking in the dark corners. Но не бойся, они всё пофиксили в свежем релизе 8.4.6. 🎯
🔍 Key Bugs They Squashed:
Log Tampering via Parsing Flaw 你可以操纵日志, yeah — attackers could sneak in or wipe out up to 4 chars (or more with syslog) due to dodgy data parsing. 🆔 CVE-2024-9026
Multipart Form Mishandling Legacy bug meant form data could go misunderstood. Think about your
$_POSTnot knowing what’s what. 🆔 CVE-2024-8925Filter = Crash Mismanaged memory in PHP filters could hit you with segmentation faults. Nasty stuff. 🆔 CVE-2024-8928
MySQL Driver Data Bleed Old queries leaking into new ones — not a vibe. Data privacy go bye-bye. 🆔 CVE-2024-8929
🧠 Who Ran the Audit?
Big shout to Quarkslab SAS, managed by the Open Source Tech Improvement Fund, funded by 🇩🇪 Sovereign Tech Agency. Budget was tight, so they focused only on the most critical components — where the danger lives.
📦 Stuff that got the microscope treatment:
PHP-FPM(FastCGI boss for speed)MySQLdriverHTTP&MIMEparsingJSONlogic- Crypto:
OpenSSL, password hashing, RNG (you know, the spicy bits)
🛠️ So… How Bad Was It?
Not catastrophic. Многие из уязвимостей требуют довольно редких условий. The code quality was actually called pretty solid by Quarkslab. But yeah, this wasn’t a full sweep. Important bits like parse_url, parse_str, stream handling, and xp_ssl got left behind due to time pressure. Not ideal.
🧓 But… PHP? Still?
Look, PHP’s ancient, gets clowned on, and doesn’t win beauty contests — 但是,它还是撑起了全网的大部分应用。 According to W3Techs, PHP’s powering 74.3% of websites (where the backend language is known). WordPress and friends ain’t going anywhere. It’s simple, battle-tested, and the ecosystem? Still solid AF.
“Quirks got ironed out. Code’s stable. Ecosystem’s chill.” – some wise dev on Hacker News “A plain PHP app loads way faster than bloated JS hellscapes.” – another based legend