[TYPO3-core] PHP version requirement
Jigal van Hemert
jigal.van.hemert at typo3.org
Sun Mar 3 19:52:06 CET 2013
On 3-3-2013 18:58, JoH asenau wrote:
> Well - according to our guidelines the correct way would have been:
The guidelines didn't include the concept of really major version numbers.
It was discussed that we could use the version 6.0 as an indication that
it contains bigger changes which are more likely to break during upgrades.
There have also been discussions about the LTS versions and although a
formal announcement must still appear the result is pretty clear: 4.5
support is extended a bit to have a year overlap with 6.2 LTS.
This means that organisations relying on LTS version have a full year to
prepare their upgrade.
Also having 6.2 as LTS means that the changes in 6.0 have been used in
real projects for some time, extensions are updated to support the 6.0
features and publications (snippets, articles with tips, etc.) have
appeared on how to use the new features.
> The problem many developers and users got with how things are currently
> handled in the core team is, that it seems there is a gap between the
> way some core devs think things should be working and the real life
> scenarios, especially admins still have to deal with.
There are some very conservative system administrators out there. Others
provide their systems with the latest versions of software and possible
have a range of versions available.
> Especially in enterprise environments you won't always get the cutting
> edge version of your favorite OS, PHP and other necessary software. This
> is due to the fact that there are many other pieces of software running
> in the same environment on umpteen thousands of servers and
> workstations, with some of them taking Millions of Euros to have them
> working on latest OS versions. This is something that must be taken into
> account _before_ implementing major changes to the core of a CMS that
> claims to play on enterprise level.
A pretty large and well known hosting company offers a choice between
various PHP versions to their customers (IIRC the customer can set the
PHP version for each domain). If they can do that, the system
administrators of large companies should also be able to do that.
It seems that some translate "enterprise" to "keep using outdated
software for decades".
And really, PHP 5.3.x is not "cutting edge". PHP 5.5 is in alpha state,
5.4 was released over a year ago, 5.3.7 was released on August 18, 2011.
If you don't install bugfix releases you end up with insecure servers:
Security Enhancements and Fixes in PHP 5.3.9:
Added max_input_vars directive to prevent attacks based on hash
Fixed bug #60150 (Integer overflow during the parsing of invalid
exif header). (CVE-2011-4566)
Security Fixes in PHP 5.3.10:
Fixed arbitrary remote code execution vulnerability reported by
Stefan Esser, CVE-2012-0830.
Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:
Fixed bug #54374 (Insufficient validating of upload name leading to
corrupted $_FILES indices). (CVE-2012-1172).
Add open_basedir checks to readline_write_history and
And the list goes on...
Again, this "problem" is blown way out of proportion. It only happens
with extensions which still don't use the autoloader (which is available
for a long time) on installations with an old and insecure version of
PHP. There is no hard check for PHP 5.3.7; if you use a PHP version with
a lower version number which includes the patch you won't have a problem.
I think that some people try to make a mountain out of a molehill.
Jigal van Hemert
TYPO3 Core Team member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core