[Phpmyadmin-devel] Limits imposed by Suhosin

Sun Aug 7 14:20:20 CEST 2011

On Sun, Aug 7, 2011 at 3:01 PM, Marc Delisle <marc at infomarc.info> wrote:
> Le 2011-08-07 07:39, Marc Delisle a écrit :
>> Le 2011-08-07 07:31, Tyron Madlener a écrit :
>>> On Sun, Aug 7, 2011 at 2:06 PM, Marc Delisle <marc at infomarc.info> wrote:
>>>> Le 2011-08-06 07:59, Madhura Jayaratne a écrit :
>>>>> Hi all,
>>>>>
>>>>> While attending to a bug [1], I came across the following.
>>>>> Suhosin imposes a limit of 512 on the length of the variable that can be
>>>>> passed via a GET [2]. This is often problematic as in PMA we encounter long
>>>>> parameters (long sql queries, where clauses when no unique key is there
>>>>> etc). Due to the same problem [3] $cfg['LinkLengthLimit'] configuration was
>>>>> lowered to more stricter 1000 from 2000, which is more acceptable.
>>>>>
>>>>> In this particular bug the problem is that, though the URL length is under
>>>>> 1000, one parameter, 'sql_query', violates the Suhosin limit. What
>>>>> should be our stand on this. Should we adhere to Suhosin default values?
>>>>>
>>>>> In 3.5 we have a possible solution for this [4] and we can still lower
>>>>> $cfg['LinkLengthLimit'] value without losing the look and feel. However this
>>>>> needs to have JS enabled and I'm not sure whether we want to impose that
>>>>> condition for the 3.4 series.
>>>>
>>>> Madhura,
>>>> see Documentation.html, FAQ 1.38. You might want to add a suggestion
>>>> there about suhosin.get.max_value_length.
>>>>
>>>> As you can deduce from this FAQ entry, it was not our intention to adapt
>>>> to Suhosin's limits.
>>>
>>> Would there be any problem in using min($cfg['LinkLengthLimit'],
>>> [suhoins max length]) for pma?
>>
>> You might have a good start of solution, but $cfg['LinkLengthLimit'] is
>> for the total length of the link, whereas suhosin.get.max_value_length
>> is per parameter and we have more than one parameter in those links.
>>
>
> Also, looking at FAQ 1.38, many Suhosin parameters require tuning for
> phpMyadmin; this is why phpMyAdmin emits (by default) a warning on its
> main page about Suhosin, pointing to this FAQ entry.
>
> If someone disabled the warning, it's their choice.
>

Seeing that many linux distributions like debian ship php with suhosin
per default many users must be affected by issues with suhosin. And
suhosin is not just your average addon, it adds important security
enhancements to php. Disabling it can have severe consequences.

Marking that bug entry as "won't fix" is an indirect statement that we
either don't care about the users with php+suhosin or that we don't
care about the users security (forcing them to disable suhosin).

Having phpMyAdmin working with suhosin is a completely valid feature
request and should be handled as such, in my opinion. Not saying that
we have to implement that feature now, but the possibilities
definitely should be kept open.

> --
> Marc Delisle
> http://infomarc.info
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>