Re: suhosin and 5.4 onwards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/08/2013 18:50, Lester Caine wrote:

Practical experience is that suhosin does not actually work with 5.4?

Not without _unofficial_ patch(es) see attached for sessions, if it doesnt go through on list you can find the patch on github

I've had to disable it because of problems with session handling amongst other
things and don't have time to investigate why.


There was a patch on suhosin mailing list for that, a few people who tried it out said it worked. I've not yet bothered, but...


I saw a post from Steffen saying he has no time for suhosin and the project is being taken over by someone else, I think the jury is out on if it will ever revive, in meantime, php 5.3 works fine. if only php devs would stop fscking changing everything every time they release a new version, frustrating to many.

And people who reply on mod_security are no more protected than what is being done here, since mod_security has not had the best track record itself in the past.


Would I prefer to re-enable it - YES - and it's one of a number of reasons that have been making switching currently stable PHP5.2 servers over to 5.4 less
attractive.
The amount of time I'm wasting on coping with many of the so called improvements across the whole Linux platform is making me feel that commercial interests are


Thats why I recommend distros that dont want to change the world and stick by tried and time proven, like slackware and gentoo, but this isnt an os flame against others, I use opensuse as well on pc's and laptops.

Everything just looks after itself :)


From 117b6aa6efec61afaa1431c698dad8eb553b55f5 Mon Sep 17 00:00:00 2001
From: Olivier Blin <dev@xxxxxxxxx>
Date: Sun, 31 Mar 2013 01:15:48 +0100
Subject: [PATCH] Fix saving sessions in PHP 5.4 with user session handlers
 (fix #12)

When session storage functions are set with session_set_save_handler()
(this is the "mod_user" mode), mod_data will be NULL in PHP 5.4, and
suhosin session hooks will bail out.
PHP 5.4 allows to check this with mod_user_implemented instead.
---
 session.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/session.c b/session.c
index 1045a93..513c195 100644
--- a/session.c
+++ b/session.c
@@ -728,7 +728,12 @@ static int suhosin_hook_s_read(void **mod_data, const char *key, char **val, int
     }*/
     
     /* protect dumb session handlers */
-    if (key == NULL || !key[0] || *mod_data == NULL) {
+    if (key == NULL || !key[0] ||
+		(*mod_data == NULL
+#if PHP_VERSION_ID >= 50400
+		 && !SESSION_G(mod_user_implemented)
+#endif
+		)) {
 regenerate:
         SDEBUG("regenerating key is %s", key);
         KEY = SESSION_G(id) = SESSION_G(mod)->s_create_sid(&SESSION_G(mod_data), NULL TSRMLS_CC);
@@ -777,7 +782,12 @@ static int suhosin_hook_s_write(void **mod_data, const char *key, const char *va
     char *v = (char *)val;
 
     /* protect dumb session handlers */
-    if (key == NULL || !key[0] || val == NULL || strlen(key) > SUHOSIN_G(session_max_id_length) || *mod_data == NULL) {
+    if (key == NULL || !key[0] || val == NULL || strlen(key) > SUHOSIN_G(session_max_id_length) ||
+		(*mod_data == NULL
+#if PHP_VERSION_ID >= 50400
+		 && !SESSION_G(mod_user_implemented)
+#endif
+		)) {
         r = FAILURE;
         goto return_write;
     }
@@ -820,7 +830,12 @@ static int suhosin_hook_s_destroy(void **mod_data, const char *key TSRMLS_DC)
     int r;
 
     /* protect dumb session handlers */
-    if (key == NULL || !key[0] || strlen(key) > SUHOSIN_G(session_max_id_length) || *mod_data == NULL) {
+    if (key == NULL || !key[0] || strlen(key) > SUHOSIN_G(session_max_id_length) ||
+		(*mod_data == NULL
+#if PHP_VERSION_ID >= 50400
+		 && !SESSION_G(mod_user_implemented)
+#endif
+		)) {
         return FAILURE;
     }
     
-- 
1.8.1.5

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux