-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suhosin.so does not load in PHP 5.4.4 ("Suhosin does not yet support PHP 5.4") #17
Comments
I can confirm that the issue reported by burnersk is still reproducible in Debian Wheezy:
php_mb_gpc_encoding_detector and php_mb_gpc_encoding_converter are no longer part of the MBSTRING API. Edit: nor is php_mb_encoding_translation, though it exists in mbstring.c. This means that the problem lie in rfc1867.c, line 63-66: if (num_vars > 0 &&
php_mb_gpc_encoding_detector(val_list, len_list, num_vars, NULL TSRMLS_CC) == SUCCESS) {
php_mb_gpc_encoding_converter(val_list, len_list, num_vars, NULL, NULL TSRMLS_CC);
} and line 620-625: #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
if (php_mb_encoding_translation(TSRMLS_C)) {
int len=strlen(str);
php_mb_gpc_encoding_detector(&str, &len, 1, NULL TSRMLS_CC);
}
#endif and 1213-1216: if(php_mb_gpc_encoding_detector(val_list, len_list, num_vars, NULL TSRMLS_CC) == SUCCESS) {
str_len = strlen(filename);
php_mb_gpc_encoding_converter(&filename, &str_len, 1, NULL, NULL TSRMLS_CC);
} I'm not familiar enough with the regrettably uncommented Suhosin code to know what these functions and code segments are ment to achieve, so I'm a bit reluctant to edit out the segments I've listed above. And I suspect that if I did so, PHP and Suhosin would perhaps work, but any errors would probably be indetectable to me. |
Removing code related to php_mb_flush_gpc_variables(), php_mb_encoding_translation(), php_mb_gpc_encoding_converter() and php_mb_gpc_encoding_detector() seems to make Suhosin usable for Debian Wheezy with the current PHP 5.4.4-10 incarnation there. As far as I can tell, this may possibly leave some multibyte handling less protected than with a stock PHP 5.4 install. However, it seems to me that there is a bit of risk in simply doing it that way, since rfc1867.c has changed quite a bit between PHP 5.3.x and PHP 5.4.x. I think rfc1867.c needs a fresh start for Suhosin, in order to ensure PHP 5.4 compatibility, and not just a loading PHP version. |
I've taken the deep plunge and removed all HAVE_MBSTRING dependent code from rfc1867.c, the diff is here: I don't know if this is a safe fix, and I feel strongly uncomfortable sharing it, but since I'm not using PHP 5.4.x myself yet, perhaps someone else is willing to betatest that horror. |
Just letting you know, your diff worked great for me. php -v works and restarting apache2 doesn't have any warnings or errors. Thanks for your help. |
Just as a comment for the interested ones: |
Yeah well I do not really consider this stackoverflow "answer" authoritative... any Tom, Dick and Harry can post there. To my mind, it would be definitely better - from a security POV - if Suhosin was available for current PHP version. Perhaps Stefan will finally comment on whether there's any future for Suhosin or not. Cheers, |
Hi Stefan, can you perhaps give a few general comments
I think, that this would be a big help for all watching and usings your projects since many years. Thank you for your Suhosin. |
Close because user error. |
updated 2012-07-16 see #14 ("just as a reminder that PHP 5.4.x is not yet supported.")
Suhosin 0.9.33
After migration to PHP 5.4.4
I did
and got
The text was updated successfully, but these errors were encountered: