[php-maint] Fwd: Bug#521198: php5-suhosin nulls mysql update parameters and allows update to continue
Jan Wagner
waja at cyconet.org
Tue Apr 7 19:36:25 UTC 2009
Hi Sean,
On Tuesday 07 April 2009, sean finney wrote:
> On Tue, Apr 07, 2009 at 07:48:38PM +0200, Jan Wagner wrote:
> > Guessing from the bugreport, I think the cause for the "dataloss" was,
> > that suhosin blocked the execution of the script, cause the values are to
> > much/large, which can be adjusted via ini settings. Not checking, if the
> > values have reasonable content, is not a problem of suhosin, but of the
> > application. There are many other scenarios (unrelated to suhosin) which
> > can cause empty values.
>
> from what i read suhosin saw that the update was too large and it null'd
> the fields, and then happily continued. i can sympathize with the reporter
> that this is "less than ideal".
>
> is there any option to make suhosin throw a fatal error instead of nulling
> the values?
looking into http://www.hardened-php.net/suhosin/configuration.html, I guess
not. I just verified the behavior:
# grep
suhosin.get.max_value_length /etc/apache2/sites-enabled/suhosin.test.org
php_admin_value suhosin.get.max_value_length 10
# cat /var/www/suhosin.test.org/public_html/test.php
<?php
echo "The value is: " .$_REQUEST["value"]. "\n";
phpinfo();
?>
Now compare http://suhosin.test.org/test.php?value=fooooooooooooooooooo with
http://suhosin.test.org/test.php?value=foo
Okay ... nulling the values are suboptimal, but I think thats not really the
point. The question is: "Is an application, which doesn't doublecheck, that
the returnvalues aren't empty, correctly working?" Returing empty values can
also be caused by many other issues.
With kind regards, Jan.
--
Never write mail to <waja at spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
------END GEEK CODE BLOCK------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090407/b137f845/attachment-0001.pgp>
More information about the pkg-php-maint
mailing list