Understanding the Latest PHP Security Release

Since we are now starting to see news reports about the latest release of PHP, and since these reports seem to be spinning this release as a knock against PHP, I thought I’d offer some context. My understanding is that the biggest security problem this release fixes is an infinite loop/buffer overflow problem with getimagesize, wherein a specially crafted user-defined image passed to the getimagesize function could create a DoS or arbitrary code execution problem.

It seems this security problem has been labeled “High Risk” because the potential for damage is very high. However, it must be pointed out that the other factor to consider with security is the probability of exploit, which in this case is relatively low. Only sites that accept user-defined images are candidates to be affected by this security problem. Systems accepting image uploads from trusted content managers as well as sites that screen uploaded images before passing them to getimagesize for layout and display are unlikely to be affected by this problem.

It seems that most security releases these days focus on the potential for damage as the sole and deciding factor to determine the seriousness of the problem. In reality, security is a matter of likelihood as much as it is a matter of impact, since the only system that can be declared completely secure is the one that is powered down and disconnected.