[php-maint] [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Stefan Esser stefan at nopiracy.de
Fri Feb 3 08:09:27 UTC 2012


Hey Florian,

> Now that's something I didn't read from Ondřej's mail, but delivering
> the packages with and without suhosin would, while being more work,
> certainly the most helpful way for users. Then again I'd gladly help if
> there's anything of this additional work that can be done.

people are constantly ignoring the fact that Suhosin-PHP listens to several environment variables:

SUHOSIN_MM_USE_CANARY_PROTECTION    default = 1
SUHOSIN_MM_DESTROY_FREE_MEMORY       default = 0
SUHOSIN_MM_IGNORE_CANARY_VIOLATION  default = 0
SUHOSIN_HT_IGNORE_INVALID_DESTRUCTOR default = 0
SUHOSIN_LL_IGNORE_INVALID_DESTRUCTOR default = 0

By configuring these environment variables you can disable the canary protection that is "eating tons of memory and speed" (which is greatly exaggerated by people).
You don't need to have two compiled packages. You can just DISABLE Suhosin to 90% with these flags - or make it even stronger by telling it to sanitize all freed memory.

BTW: The Debian PHP maintainers know about these flags, because I repeatedly mentioned them in my answers to them. Also the Debian PHP maintainers patched the code of these environment variables 2 years back. So not knowing about them is just an excuse (if they bring it up).

Regards,
Stefan


More information about the pkg-php-maint mailing list