iBlog - Ilia Alshanetsky

I've finally got a bit of free time to official post the slides from my "State of PHP Security" talk from Zend Conference 2007. You can find the slides here. The session was a bit different from the usual talks I give on security, focusing on summarizing the efforts done so far this year aimed at improving PHP's own security and the things we are still working on improving.

The stable version of FUDforum 2.7.7RC2 is now available for download. This releases' focus has been primarily bug fixing with a fair number of small issues being resolved.

The install script can be found here and the upgrade script here.

The release announcement detailing all of the major changes can be found here.

If you've been reading the internals list or the blogs of various PHP developers you probably know that the work on the new minor PHP branch, 5.3 has started now that the key feature list of the release has been established by a public vote on the internals list about a week ago. Some of those features, like namespaces, late static binding, __callStatic and several others have already made into the CVS.

As per our tradition of changing Release Masters for every minor release, a new masochist, Johannes Schlüter will be taking of the role of RM for PHP 5.3 from me. I will continue to RM 5.2.X release, which has 1-2 releases in it still and will be actively maintained up until 5.3.0 is released into the wild, something that should happen early next year.

I've been release mastering PHP 5 for almost two years now, all the way back since 5.1.0 and it has been quite challenging and interesting time, and its time for new blood so to speak. I want to congratulate Johannes on his new role that will hopefully get confirmed on internals within the next few days and wish him the best of luck and ask all of the developers to cooperate with the new RM to make his task just a little bit easier.

I just got my confirmation for my flight to San Francisco to ZendCon happening in early October and noticed something interesting on my invoice for the flight in the "taxes area".

Taxes, Fees and Charges
---------------------------------------------------
Canada Airport Improvement Fee 20.00
U.S.A Transportation Tax 15.54
U.S Agriculture Fee 5.15
Canada Security Charge 7.94
Canada Goods and Services Tax (GST/HST #10009-2287) 26.01
U.S.A Immigration User Fee 7.21

Why would an airline ticket include the U.S Agriculture Fee, is there a tax on the air above the US farmland or something?

After a few years on Gallery 1.X, which with a few tweaks worked quite well for me, I've decided to make the transition to Flickr's pro account. The conversion was largely made possibly by a tweaked gallery2flickr script that allowed me to move albums over without loosing any data in a process, which is always a good thing. It still took some time, but in the end I am quite happy with the results. Flickr has some very neat features in comparison to Gallery such as geo-tagging, very convenient interface for tagging and labeling photos, which at least in Gallery 1.X was rather frustrating.

My new gallery can now be found at http://www.flickr.com/photos/iliaal/

After a somewhat extended release cycle PHP 5.2.4 is finally out! A fairly extensive list of changes this time with over 120 bug fixes and a fair number of small security fixes and improvements. You can find the abbreviated details about the release here and the full boring details in the ChangeLog.

The first RC of 5.2.4 was just released and is now available for download here:

http://downloads.php.net/ilia/php-5.2.4RC1.tar.bz2 (md5sum: 43e28d2aa55b6c8bcd67da16e24b225a)

This release have been long in the making so the changelog is a bit intimidating, so we definitely need a lot of testing for this release. I would like to ask everyone to give this RC a shot and see how it behaves with their code and hopefully not find any regressions. If you do find any, please let us know.

I've been so busy last few weeks I didn't get a chance to blog about the acceptance of my talk for ZendCon. So, here it is now, better late then never. This year has been quite busy in terms of security when it comes to PHP, the language and many changes were done to make the language better when it comes to security.

The talk will try to summarize the many happenings in the PHP security world in to a quick one hour talk, so it should be quite an interesting challenge

A little less then a month had passed and we have a new PHP 5 release, 5.2.3 that can downloaded here. As with the prior patch level releases in 5.2.branch, the work continued on improving stability (over 40 bug fixes) and security with a 6 additional security fixes and improvements added. Also, this version contains a few optimizations that hopefully will make this the fastest 5.2 release yet, with improvements in string processing, md5()/sha1() generation and few less syscalls per request.

The official release announcement can be found here and the nitty gritty details can be seen in the ChangeLog.

I am also happy to say that two regressions introduced by prior releases were addressed, relating to timeouts on non-blocking SSL connection as well as lack of HTTP_RAW_POST_DATA under certain conditions.

Thanks to the surprisingly well working wifi at the moment the slides from the PHP Security pitfalls are now available can be downloaded here.

I hope everyone who had been present at the talk had found something interesting that will help them improve the security of their code.

The two tutorials at php|tek went rather well, I am still surprised my voice held up for 6 hours of talking. The slides in PDF form can be found below:

Securing PHP Applications

PHP & Performance