[php-maint] Fwd: Bug#521198: php5-suhosin nulls mysql update parameters and allows update to continue

Jan Wagner waja at cyconet.org
Tue Apr 7 19:36:25 UTC 2009

Hi Sean,

On Tuesday 07 April 2009, sean finney wrote:
> On Tue, Apr 07, 2009 at 07:48:38PM +0200, Jan Wagner wrote:
> > Guessing from the bugreport, I think the cause for the "dataloss" was,
> > that suhosin blocked the execution of the script, cause the values are to
> > much/large, which can be adjusted via ini settings. Not checking, if the
> > values have reasonable content, is not a problem of suhosin, but of the
> > application. There are many other scenarios (unrelated to suhosin) which
> > can cause empty values.
> from what i read suhosin saw that the update was too large and it null'd
> the fields, and then happily continued.  i can sympathize with the reporter
> that this is "less than ideal".
> is there any option to make suhosin throw a fatal error instead of nulling
> the values?

looking into http://www.hardened-php.net/suhosin/configuration.html, I guess 
not. I just verified the behavior:

# grep 
suhosin.get.max_value_length /etc/apache2/sites-enabled/suhosin.test.org 
		php_admin_value suhosin.get.max_value_length 10
# cat /var/www/suhosin.test.org/public_html/test.php 
echo "The value is: " .$_REQUEST["value"]. "\n";

Now compare http://suhosin.test.org/test.php?value=fooooooooooooooooooo with 

Okay ... nulling the values are suboptimal, but I think thats not really the 
point. The question is: "Is an application, which doesn't doublecheck, that 
the returnvalues aren't empty, correctly working?" Returing empty values can 
also be caused by many other issues.

With kind regards, Jan.
Never write mail to <waja at spamfalle.info>, you have been warned!
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090407/b137f845/attachment-0001.pgp>

More information about the pkg-php-maint mailing list