Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Plugin SecurityInfo shows wrong result for Suhosin Extension #1753

Closed
anonymous-piwik-user opened this Issue · 3 comments

2 participants

@anonymous-piwik-user

I'm running Piwik 1.0 with FastCgi on a Debian Lenny system.

The SecurityInfo-Plugin says:
1) You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities.

2) You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities.

The php tells me:
/usr/bin/php5-cgi --version
PHP 5.2.6-1+lenny9 with Suhosin-Patch 0.9.6.2 (cgi-fcgi) (built: Aug 4 2010 05:59:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

Same message when calling phpinfo in the piwik dir.
Keywords: feedback

@robocoder
Collaborator

Perhaps the web server is using a different php binary?

Try again with this script:

<?php
print_r(get_loaded_extensions()); // this should contain "suhosin" if you have the Suhosin extension
print_r(get_defined_constants()); // this should contain SUHOSIN_PATCH if the Suhosin patch was applied
@anonymous-piwik-user

1)
$exts = get_loaded_extensions(); // $exts dont contain "suhosin"

2)
$constants = get_defined_constants(); // $constants[= 1, $constants'SUHOSIN_PATCH' = 0.9.6.2

According to this the opened bug can be closed by 50%. It seems that the extension is not loaded and therefore the notice about the extension is correct.
But the notice about the patch shouldnt be given.

@robocoder
Collaborator

(In [3237]) fixes #1753, refs #1310 - get_defined_constants(false) is broken prior to php 5.2.11

@anonymous-piwik-user anonymous-piwik-user added this to the Piwik 1.1 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.