PHP 5.4 compatibility

[Zakay]

The extension won't compile with PHP 5.4:

/stefanesser-suhosin-13620d2/suhosin.c: In function ‘suhosin_register_cookie_variable’:
/stefanesser-suhosin-13620d2/suhosin.c:652: error: ‘struct _php_core_globals’ has no member named ‘magic_quotes_gpc’
/stefanesser-suhosin-13620d2/suhosin.c:689: error: ‘struct _php_core_globals’ has no member named ‘magic_quotes_gpc’
/stefanesser-suhosin-13620d2/suhosin.c: In function ‘suhosin_register_cookie_variable_safe’:
/stefanesser-suhosin-13620d2/suhosin.c:720: error: ‘struct _php_core_globals’ has no member named ‘magic_quotes_gpc’

[diemuzi]

Just wanted to confirm that I'm experiencing the same situation with the exact same errors.

[NHellFire]

I've got it to compile, but it's crashing in ih_function_exists (in execute.c).

Patch: http://kpaste.net/616fc4

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
ih_function_exists (ih=0x1, execute_data_ptr=0x89b0d, return_value_used=144317300, ht=144379340, return_value=0x2c)
    at /home/nathan/source/php/suhosin/php-suhosin-0.9.33/execute.c:1146
1146            RETVAL_BOOL(retval);


#0  ih_function_exists (ih=0x1, execute_data_ptr=0x89ae6, return_value_used=144307116, ht=144369156, return_value=0x2c)
    at /home/nathan/source/php/suhosin/php-suhosin-0.9.33/execute.c:1146
        func = 0x1
        lcname = 0x88fe658 "\336\302\031/u"
        retval = 1 '\001'
        func_name_len = -1512203927
        ht = 142319617
        return_value = 0x89ae6
#1  0xa5dda2de in suhosin_execute_internal (execute_data_ptr=0x8320860, return_value_used=-1497231776)
    at /home/nathan/source/php/suhosin/php-suhosin-0.9.33/execute.c:1681
        retval = 142319617
        lcname = 0x869701b "function_exists"
        function_name_strlen = 144303260
        free_lcname = 142094944
        return_value = 0x8790280
        ce = 0xa5dea380
        ih = 0x82d45c5
        execute_data_ptr = 0x88d5208

[shinji257]

I can confirm as well. Similar issues. This seems to be a compatibility with suhosin and the removal of magic_quotes_gpc from php 5.4.0. The code is still checking for it.

[vladgh]

According to this http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656486 the modifications to permit compilation against PHP 5.4 will be done in time for the release. Any estimate on when?

[scragg0x]

Stefan must be a busy person but I bet some donations will certainly get his attention. http://www.hardened-php.net/donate.45.html Buy him a beer or 3. :)

[Zakay]

PHP5.4 is already released.

Sent from my iPhone

On 11 mar 2012, at 22:27, Vladreply@reply.github.com wrote:

According to this http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656486 the modifications to permit compilation against PHP 5.4 will be done in time for the release. Any estimate on when?

---

Reply to this email directly or view it on GitHub:
#5 (comment)

[waja]

On 03/12/2012 08:06 AM, Zakay wrote:

PHP5.4 is already released

really?

[shinji257]

Yes. It was released on March 1st.
On Mar 12, 2012 3:40 AM, "waja" <
reply@reply.github.com>
wrote:

On 03/12/2012 08:06 AM, Zakay wrote:

PHP5.4 is already released

really?

---

Reply to this email directly or view it on GitHub:
#5 (comment)

[NHellFire]

Yes. I've got as far as: it compiles but crashes when you call function_exists.

[laukstein]

# php -v
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/suhosin.so' - /usr/lib64/php/modules/suhosin.so: undefined symbol: output_globals in Unknown on line 0
PHP 5.4.0 (cli) (built: Mar 17 2012 16:30:08)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

[NHellFire]

I've got it running now.
Patch: http://kpaste.net/4ee

I've had to disable the function_exists and mt_rand stuff as both crash.

Backtrace for mt_rand (function_exists is already posted):

Program received signal SIGSEGV, Segmentation fault.
0x9c99e47d in ih_mt_rand (ih=0x88cbfa0, execute_data_ptr=0x88d24e4, return_value_used=1, ht=2, return_value=0x2500089a)
    at /home/nathan/source/php/suhosin/php-suhosin-0.9.33/execute.c:1480
1480            RETVAL_LONG(number);

#0  0x9c99e47d in ih_mt_rand (ih=0x88cbfa0, execute_data_ptr=0x88d24e4, return_value_used=1, ht=2, return_value=0x2500089a)
    at /home/nathan/source/php/suhosin/php-suhosin-0.9.33/execute.c:1480
#1  0x9c99c3ee in suhosin_execute_internal (execute_data_ptr=0x88d24e4, return_value_used=1)
    at /home/nathan/source/php/suhosin/php-suhosin-0.9.33/execute.c:1682

• Edit: rand will also need disabling, just move the #if in execute.c up one line.

[stefanesser]

Under no circumstances use 3rd party patched posted in the issues section.

[calestyo]

Stefan, why did you close that issue? Even if the patches here may be not safe, the original problem (missing patches for 5.4) is not solved, is it?

[stefanesser]

Closing this issue was required because people started to throw unqualified patches at other users. Using these patches will put people at risk because they break functionality. Also they create a support nightmare.

[Zakay]

isn't that the whole point of opensource? people sharing code with other people? And why do you moderate and delete messages in this thread, that aren't harmful?

[stefanesser]

No it isn't.

I moderate and delete messages in order to protect people from using broken patches that endager them.

[calestyo]

Hi Stefan.

I haven't noticed (before) that there are already patches in master :)

Don't have a strong opinion on deleting comments with dangerous patches,... at least it's good if you mark them as such :)

Nevertheless...
Is the code in master now considered to be a officially released 5.4? Cause Debian people won't consider a package update, when this doesn't show up as tarball on the suhosin homepage ;)

Also, what does "initial support" mean?

Cheers,
Chris.

btw: have you tried whether the most recent critical hole in PHP would have been prevented by suhosin? :)

[stefanesser]

"Inital support" means that it now compiles against PHP 5.4 in a correct way. However PHP 5.4 has a myriad of code changes and therefore stuff might still be broken.

It is already known that there is a problem with sessions and gallery.

[DangitRick]

Any ETA on when Suhosin will have official support for PHP 5.4? Dreamhost, as one prominent example, won't enable PHP 5.4 on their servers until Suhosin supports it.

[1uhost]

cpanel now makes php 5.4 available( was experimental) does that mean Suhosin will work OK?

[darvil]

For those who don't know, the dev version of suhosin works on php 5.4 (i installed it on 5.4.9). I haven't checked cpanel yet so I am not sure about that. but they would be using the dev version. Not sure when the official download/support will come but so far so good.

[1uhost]

darvil, Thanks for the info.
suhosin is removed from an option in cpanel if php 5.4 is selected but we can manually install the dev version. Thanks.

[1uhost]

Ah! seems the dev version in cpanel is not working :(
http://forums.cpanel.net/f5/60272-php-5-4-suhosin-288141.html#post1252032

[darvil]

Have you tried it yourself? I forgot to mention I'm using it on php-fpm and it is working fine for me.

[1uhost]

Not tried yet, where is the dev link? I can only see https://github.com/stefanesser/suhosin/archive/master.tar.gz

[darvil]

use git ;) "git clone https://github.com/stefanesser/suhosin.git"

[1uhost]

Using centos so no git installed, But wget https://github.com/stefanesser/suhosin/tarball/master worked.
Its installed and appears to be working fine. Thanks for your help darvil :)

[darvil]

NP, I believe thats a nightly snapshot so its ok. FYI, just do a yum install git. Git is very handy to have around.

[1uhost]

Thanks for the heads up!

[kucerarichard]

Thanks! git clone works... now to ward off the numberless RATs using eval()... (google "HTTP_X_CODE")

php -v

PHP 5.4.11 (cli) (built: Jan 16 2013 16:51:38)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
with Suhosin v0.9.34-dev, Copyright (c) 2007-2012, by SektionEins GmbH