[Phpmyadmin-devel] New Suhosin warning (#1863326)

[Marc Delisle]

Thijs Kinkhorst a écrit :
> Hi all,
> 
> I noticed the newly introduced warning that phpMyAdmin emits when Suhosin
> is enabled in PHP. I expect that Suhosin will be enabled more and more,
> because the demands on security of web applications are ever increasing.
> It provides valuable protection of PHP which doesn't have the best
> security history. For example Debian's next release will have Suhosin
> enabled by default, and other distributions are doing or have already done
> the same. So I doubt that adding such a warning is a viable solution to
> the problem.
> 
> The problem seems to be that when a table doesn't have a key defined,
> phpMyAdmin encodes the entire row in the request URL, in order to make
> sure to match the right row. Suhosin trips over this when that URL gets
> very long.
> 
> I propose to resolve this problem in a different way. Wouldn't it be an
> idea to take the contents of the entire row, run it through md5() or
> sha1(), and pass that in the URL? This value could then in the query be
> used when specifying something like "WHERE
> MD5(CONCAT(field1,field2,field3)) = url_submitted_md5"? This would, in my
> opinion, resolve the problem in a more elegant way that works for all
> configurations. Even when not having Suhosin enabled, passing an URL of
> many kilobytes long isn't desirable anyway.
> 
> Of course you could only do this when the row length exceeds some minimum
> length if you want to.
> 
> What do you think?
> 
> Thijs

Thanks Thijs for this idea. I think we could implement it (at least try 
it) for performance purposes, but I am afraid that the warning about 
Suhosin in general must remain.

Even on a table with a primary key, if the table has many fields and you 
want to do a simple INSERT, the suhosin.post.max_vars threshold may be 
reached.

http://forum.hardened-php.net/viewtopic.php?pid=1444

Or the suhosin.post.max_value_length when uploading a file to a BLOB.

Marc