Hi Sean, On Tuesday 07 April 2009, sean finney wrote: > On Tue, Apr 07, 2009 at 07:48:38PM +0200, Jan Wagner wrote: > > Guessing from the bugreport, I think the cause for the "dataloss" was, > > that suhosin blocked the execution of the script, cause the values are to > > much/large, which can be adjusted via ini settings. Not checking, if the > > values have reasonable content, is not a problem of suhosin, but of the > > application. There are many other scenarios (unrelated to suhosin) which > > can cause empty values. > > from what i read suhosin saw that the update was too large and it null'd > the fields, and then happily continued. i can sympathize with the reporter > that this is "less than ideal". > > is there any option to make suhosin throw a fatal error instead of nulling > the values?
looking into http://www.hardened-php.net/suhosin/configuration.html, I guess not. I just verified the behavior: # grep suhosin.get.max_value_length /etc/apache2/sites-enabled/suhosin.test.org php_admin_value suhosin.get.max_value_length 10 # cat /var/www/suhosin.test.org/public_html/test.php <?php echo "The value is: " .$_REQUEST["value"]. "\n"; phpinfo(); ?> Now compare http://suhosin.test.org/test.php?value=fooooooooooooooooooo with http://suhosin.test.org/test.php?value=foo Okay ... nulling the values are suboptimal, but I think thats not really the point. The question is: "Is an application, which doesn't doublecheck, that the returnvalues aren't empty, correctly working?" Returing empty values can also be caused by many other issues. With kind regards, Jan. -- Never write mail to <w...@spamfalle.info>, you have been warned! -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ ------END GEEK CODE BLOCK------
signature.asc
Description: This is a digitally signed message part.
