On 2012-05-03, at 2:28 PM, Paul Gevers wrote:

Well, the biggest part went into 0.8.7something, except for the
possibility to configure the limit and the fact that the ini_set was
done in global.php instead of the two last scripts.

The part that was left out is the only important part, in regards to this bug...

Reading from the
diffs, there are two scripts left that use ini_set:

Which are the same two that I my proposed fix modifies by hand.

See my comments above. But even if global.php would set the
memory_limit, the issue would still be there wouldn't it? I.e. asking
the cacti developers to port the changes in 5617 wouldn't really help
anyway.

That depends entirely on how it is implemented. It all boils down to: do the 
individual scripts still call ini_set to change their memory_limit themselves. 
If so, then we still need to define suhosin.memory_limit. If not, then suhosin 
won't complain: it only complains when a script tries to increase it's memory 
limit mid-run.

By the way, from your proposed solution: the fact that a php script can
call (via command line) an other php script while setting the
suhosin.memory_limit defeats the purpose of suhosin quite a bit, doesn't
it? Seems like a hole in the system.

That's a whole different argument. Most people don't seem to find the suhosin 
patch to be particularly useful... It appears to be quite a kludge. Don't know 
if my fix uses a "hole" per se; I assume that the suhosin devs feel that 
suhosin is meant only to protect against misbehaving scripts and external 
attacks. If a user is able to modify the script or call them from the command 
line, then all bets are off and suhosin is useless anyways.

François Beaulieu
Courriel: 
francois.beaul...@securebyknowledge.com<mailto:francois.beaul...@securebyknowledge.com>
 | Web: www.securebyknowledge.com<http://www.securebyknowledge.com/>

Reply via email to