PHP links from around the web
Some PHP related links from around the web:
Remember: be nice to byte code caches
Mr pooteeweet, aka Lucas Smith, reminds us that the voodoo magic behind the PHP autoload functionality does not play nicely with PHP opcode caches. Be sure to read what Rasmus Lerdorf, our PHP BDFL, says about how autoloading affects opcode caching or the lack thereof of caching that stuff, the problem with adding that sort of dark voodoo magic into PHP.
Autoload is kinda convenient. Especially since in PEAR we have such a clear mapping of class name to file name. I do not really understand why some libraries and projects have these insane class name to file name mappings like ez Components and I think symfony also has them. Anyways while it seems kind of nice one must be weary of the idea that they speed up your code. If you are running a byte code cache (which anyone who cares about performance of course does) you will get quite the opposite. Here is Rasmus's answer on this taken straight from #php.pecl:
PHP's own Stefan Essar reminds us about how evil IonCube or Zend's Trusted Extensions are, which he has to pend time implementing stealth loading features in order to bypass the Zend checks. I'd prefer that the Suhosin patch for PHP, which provides additional security functionality for the PHP internals, would be applied into PHP rather than being a seperate patch. On FreeBSD the Suhosin patch is enabled by default which is good news for users at hosting companies like TextDrive (although they are only upgrading to the 5.2 branch after 5.2.1 or 5.2.2 is released).
Everyone that has used IonCube or Zend tools has most probably experienced the problem that both companies ship extensions that backdoor PHP in a way that only those extensions can be used that they consider trusted. On pages like this they claim this is another (optional) security feature. In reality it does not offer any additional security, because everyone who is able to install Zend Extensions on a server is also able to directly patch the untrusted code into the PHP installation.
The most likely real reason for these backdoors is to keep Open Source alternatives to their products away from the PHP installation.
Because of this the Suhosin extension already contains stealth loading features that are able to bypass the Zend checks. Unfortunately until today I was not aware that IonCube comes with a similiar protection that is only activated if the encoded files request it. Of course future Suhosin versions will work their way around this backdoor.
However I decided to take further actions against this kind of anti-open-source actions and will create a patch against the PHP codebase (that will also be added to Suhosin-Patch) that will introduce the concept of extension trust. The basic idea behind this feature is that the admin can give different trustlevels to extensions, so that an extension can only see those of a lower trustlevel. Additionally it will not be possible for an extension to learn it's own trust level so that the encoder backdoors cannot demand to have the highest trustlevel.
From my point of view it is really sad, that companies with a business model based on extensions and support for open source take such drastic steps against open source products.
Zeev mentions a couple of things in his response from the post about them trying to ensure compatibility and thread safety issues. Those lovely mutex locks as Clive keep reminding me, the neccessary evil to make code thread safe.
Stefan,
First, your use of the word 'backdoor' is simply wrong in my humble opinion. The word backdoor has nothing to do with what these extensions are doing - preventing potentially incompatible extensions from loading. Backdoor is a word with security connotations, so I'd appreciate it if you changed the text to reflect the fact that they 'change the behavior' or 'patch' or whatever. It's definitely not backdoor.
Secondly, the reason we (Zend) does this is to ensure compatibility. Most of the engine extensions out there are incompatible with Zend products, because they change the behavior of PHP in a way that can potentially prevent some of the hacks that we do in our products from working. I can't speak for ionCube, but as far as Zend's concerned, it's definitely not an issue of security - it's an issue of compatibility and support.
If you want to make Suhosin load in stealth mode that's entirely up to you, but it does mean that it may cause incompatible Zend extensions that make certain assumptions to crash or misbehave. I can tell you that we at Zend are now considering whether we would like to officially support systems that have Suhosin installed on them. If & when that happens, it would mean that we test our products with Suhosin installed to ensure that there are no incompatibilities or bugs in either product that trigger unwanted symptoms when they meet each other.