Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suhosin.so does not load in PHP 5.4.4 ("Suhosin does not yet support PHP 5.4") #17

Closed
Wikinaut opened this issue Jun 16, 2012 · 9 comments
Closed

Suhosin.so does not load in PHP 5.4.4 ("Suhosin does not yet support PHP 5.4") #17

Wikinaut opened this issue Jun 16, 2012 · 9 comments

Comments

@Wikinaut
Copy link

updated 2012-07-16 see #14 ("just as a reminder that PHP 5.4.x is not yet supported.")

Suhosin 0.9.33

After migration to PHP 5.4.4
I did

cd suhosin
phpize
./configure
make
install

and got

php --version
PHP Warning:  \
PHP Startup: Unable to load dynamic library \
'/usr/share/extensions/no-debug-non-zts-20100525/suhosin.so' - /usr/share/extensions/no-debug-non-zts-20100525/suhosin.so: undefined symbol: output_globals in Unknown on line 0
PHP 5.4.4 (cli) (built: Jun 16 2012 23:09:01)
@jani
Copy link

jani commented Jan 10, 2013

I can confirm that the issue reported by burnersk is still reproducible in Debian Wheezy:

user@host:/usr/local/src/stefanesser-suhosin-1fba865# php -v
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/suhosin.so' - /usr/lib/php5/20100525/suhosin.so: undefined symbol: php_mb_gpc_encoding_detector in Unknown on line 0
PHP 5.4.4-10 (cli) (built: Nov 24 2012 11:21:26) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

php_mb_gpc_encoding_detector and php_mb_gpc_encoding_converter are no longer part of the MBSTRING API.

Edit: nor is php_mb_encoding_translation, though it exists in mbstring.c.

This means that the problem lie in rfc1867.c,

line 63-66:

        if (num_vars > 0 &&
            php_mb_gpc_encoding_detector(val_list, len_list, num_vars, NULL TSRMLS_CC) == SUCCESS) {
            php_mb_gpc_encoding_converter(val_list, len_list, num_vars, NULL, NULL TSRMLS_CC);
        }

and line 620-625:

#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
    if (php_mb_encoding_translation(TSRMLS_C)) {
        int len=strlen(str);
        php_mb_gpc_encoding_detector(&str, &len, 1, NULL TSRMLS_CC);
    }
#endif

and 1213-1216:

                if(php_mb_gpc_encoding_detector(val_list, len_list, num_vars, NULL TSRMLS_CC) == SUCCESS) {
                    str_len = strlen(filename);
                    php_mb_gpc_encoding_converter(&filename, &str_len, 1, NULL, NULL TSRMLS_CC);
                }

I'm not familiar enough with the regrettably uncommented Suhosin code to know what these functions and code segments are ment to achieve, so I'm a bit reluctant to edit out the segments I've listed above.

And I suspect that if I did so, PHP and Suhosin would perhaps work, but any errors would probably be indetectable to me.

@jani
Copy link

jani commented Jan 10, 2013

Removing code related to php_mb_flush_gpc_variables(), php_mb_encoding_translation(), php_mb_gpc_encoding_converter() and php_mb_gpc_encoding_detector() seems to make Suhosin usable for Debian Wheezy with the current PHP 5.4.4-10 incarnation there.

As far as I can tell, this may possibly leave some multibyte handling less protected than with a stock PHP 5.4 install.

However, it seems to me that there is a bit of risk in simply doing it that way, since rfc1867.c has changed quite a bit between PHP 5.3.x and PHP 5.4.x.

I think rfc1867.c needs a fresh start for Suhosin, in order to ensure PHP 5.4 compatibility, and not just a loading PHP version.

@jani
Copy link

jani commented Jan 22, 2013

I've taken the deep plunge and removed all HAVE_MBSTRING dependent code from rfc1867.c, the diff is here:

jani@e8beb4f

I don't know if this is a safe fix, and I feel strongly uncomfortable sharing it, but since I'm not using PHP 5.4.x myself yet, perhaps someone else is willing to betatest that horror.

@mattesser
Copy link

Just letting you know, your diff worked great for me. php -v works and restarting apache2 doesn't have any warnings or errors. Thanks for your help.

@jgehrcke
Copy link

Just as a comment for the interested ones:
http://stackoverflow.com/questions/14405053/is-php-5-4-safe-without-suhosin

@calestyo
Copy link

Yeah well I do not really consider this stackoverflow "answer" authoritative... any Tom, Dick and Harry can post there.

To my mind, it would be definitely better - from a security POV - if Suhosin was available for current PHP version.
Of course, as it is not, staying at old (eventually unmaintained) versions of PHP isn't a solution either.

Perhaps Stefan will finally comment on whether there's any future for Suhosin or not.

Cheers,
Chris.

@Wikinaut
Copy link
Author

@stefanesser

Hi Stefan, can you perhaps give a few general comments

  • on the issue that Suhosin is not compatible with PHP versions > 5.3 ; and
  • what are your intentions and plans: i) will you further support Suhosin for PHP > 5.3 ii) whether you stopped working on Suhosin because you regard PHP 5.4+ as safe (enough) iii) what else ?

I think, that this would be a big help for all watching and usings your projects since many years. Thank you for your Suhosin.

@jani jani mentioned this issue Apr 9, 2013
Closed
@stefanesser
Copy link
Collaborator

Close because user error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jani @jgehrcke @calestyo @stefanesser @Wikinaut @mattesser and others