PHP 5.3.1 Released

If you are a fan of PHP, things are getting better. PHP 5.3.1 was just released containing over 100 bug fixes. From Marc Plotz article:

The most significant and security-conscious addition in PHP 5.3.1 is the inclusion of a max_file_uploads INI directive, making it possible to limit file uploads per request to 20 files by default. This is extremely important in circumventing denial of service (DoS) attacks.

If you have not heard of denial of service attacks, the basic principle is that a website gets pounded with hundreds or even thousands of requests at the same time, thus rendering the server essentially useless because all of its sources are being consumed in serving the attack. Thus, a user having unlimited upload possibilities certainly could bring a production server to its knees by constantly uploading something like one hundred files repeatedly from various machines.

You could in effect have 1000 or more files being uploaded at the same time, and a slow or shared server will not handle that well at all. Even a dedicated server would struggle considerably. So, what max_file_uploads does is make sure that no more than 20 files can be uploaded at a time on that server.

Other bug fixes include missing sanity checks around EXIF (exchangeable image file format) processing, while Rasmus Lerdorf himself fixed a safe_mode bypass in tempnam(). An open_basedir bypass in posix_mkfifo() was also repaired, along with the failing safe_mode_include_dir. You can see the CHANGELOG for more details.