[Phpmyadmin-devel] Limits imposed by Suhosin

Tyron Madlener tyronx at gmail.com
Mon Aug 8 10:19:28 CEST 2011 

On Sun, Aug 7, 2011 at 3:56 PM, Marc Delisle <marc at infomarc.info> wrote:
> Le 2011-08-07 08:20, Tyron Madlener a écrit :
>> On Sun, Aug 7, 2011 at 3:01 PM, Marc Delisle <marc at infomarc.info> wrote:
>>> Le 2011-08-07 07:39, Marc Delisle a écrit :
>>>> Le 2011-08-07 07:31, Tyron Madlener a écrit :
>>>>> On Sun, Aug 7, 2011 at 2:06 PM, Marc Delisle <marc at infomarc.info> wrote:
>>>>>> Le 2011-08-06 07:59, Madhura Jayaratne a écrit :
>>>>>>> Hi all,
>>>>>>>
>>>>>>> While attending to a bug [1], I came across the following.
>>>>>>> Suhosin imposes a limit of 512 on the length of the variable that can be
>>>>>>> passed via a GET [2]. This is often problematic as in PMA we encounter long
>>>>>>> parameters (long sql queries, where clauses when no unique key is there
>>>>>>> etc). Due to the same problem [3] $cfg['LinkLengthLimit'] configuration was
>>>>>>> lowered to more stricter 1000 from 2000, which is more acceptable.
>>>>>>>
>>>>>>> In this particular bug the problem is that, though the URL length is under
>>>>>>> 1000, one parameter, 'sql_query', violates the Suhosin limit. What
>>>>>>> should be our stand on this. Should we adhere to Suhosin default values?
>>>>>>>
>>>>>>> In 3.5 we have a possible solution for this [4] and we can still lower
>>>>>>> $cfg['LinkLengthLimit'] value without losing the look and feel. However this
>>>>>>> needs to have JS enabled and I'm not sure whether we want to impose that
>>>>>>> condition for the 3.4 series.
>>>>>>
>>>>>> Madhura,
>>>>>> see Documentation.html, FAQ 1.38. You might want to add a suggestion
>>>>>> there about suhosin.get.max_value_length.
>>>>>>
>>>>>> As you can deduce from this FAQ entry, it was not our intention to adapt
>>>>>> to Suhosin's limits.
>>>>>
>>>>> Would there be any problem in using min($cfg['LinkLengthLimit'],
>>>>> [suhoins max length]) for pma?
>>>>
>>>> You might have a good start of solution, but $cfg['LinkLengthLimit'] is
>>>> for the total length of the link, whereas suhosin.get.max_value_length
>>>> is per parameter and we have more than one parameter in those links.
>>>>
>>>
>>> Also, looking at FAQ 1.38, many Suhosin parameters require tuning for
>>> phpMyadmin; this is why phpMyAdmin emits (by default) a warning on its
>>> main page about Suhosin, pointing to this FAQ entry.
>>>
>>> If someone disabled the warning, it's their choice.
>>>
>>
>> Seeing that many linux distributions like debian ship php with suhosin
>> per default many users must be affected by issues with suhosin. And
>> suhosin is not just your average addon, it adds important security
>> enhancements to php. Disabling it can have severe consequences.
>>
>> Marking that bug entry as "won't fix" is an indirect statement that we
>> either don't care about the users with php+suhosin or that we don't
>> care about the users security (forcing them to disable suhosin).
>>
>> Having phpMyAdmin working with suhosin is a completely valid feature
>> request and should be handled as such, in my opinion. Not saying that
>> we have to implement that feature now, but the possibilities
>> definitely should be kept open.
>
> Continuing Tyron's idea, here is a possible fix. PMA_linkOrButton()
> currently checks the whole URL length and decides to generate a link or
> form based on this.
>
> In the form generation logic, it breaks the URL with parse_url(). This
> parse_url could occur earlier in the function, enabling a verification
> of the length of each parameter value against
> suhosin.get.max_value_length and forcing to use the "form" logic as soon
> as one of the values will exceed the limit.
>
> Anyone with a Suhosin-enabled server wants to try this?
>

Attached patch should implement this behavior, though not tested yet.

> --
> Marc Delisle
> http://infomarc.info
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suhosinpatch.diff
Type: application/octet-stream
Size: 3370 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110808/0dcb2bff/attachment-0001.obj>

More information about the Developers mailing list