Security Enhancements and Fixes in PHP 5.2.0


  • Made PostgreSQL escaping functions in PostgreSQL and PDO extension keep track of character set encoding whenever possible.
  • Added allow_url_include, set to Off by default to disallow use of URLs for include and require.
  • Disable realpath cache when open_basedir and safe_mode are being used.
  • Improved safe_mode enforcement for error_log() function.
  • Fixed a possible buffer overflow in the underlying code responsible for htmlspecialchars() and htmlentities() functions.
  • Added missing safe_mode and open_basedir checks for the cURL extension.
  • Fixed overflow is str_repeat() & wordwrap() functions on 64bit machines.
  • Fixed handling of long paths inside the tempnam() function.
  • Fixed safe_mode/open_basedir checks for session.save_path, allowing them to account for extra parameters.
  • Fixed ini setting overload in the ini_restore() function.
Scroll to top