Hello,
Suhosin is causing me a lot of problem with a site (vivoo cms), I tried to change the settings by maximizing but I still get the same error (configured request variable total name length limit exceeded - dropped variable).
I even tried to create a local php.ini file for the account, but that is not taken into account (the site still takes the value defined in php.ini server)
Suhosin is needed (since asl is installed)? Is that I can safely disable?
Suhosin is it necessary by having asl?
-
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
Re: Suhosin is it necessary by having asl?
Your problem with your local php.ini is that it overrides defaults in the main php.ini. But if you have the Atomic suhosin package installed, the configuration directives for it are loaded in suhosin.ini. As the configuration files are loaded alphabetically, and as the local php.ini files appear to be loaded after the main php.ini, then your changes get ignored (php.ini> local php.ini> suhosin.ini so suhosin.ini wins!)
The solution is to move the default suhosin configuration directives back into php.ini
But on to your question....there are only the rarest of occasions when suhosin catches something that ASL does not. Maybe once or twice a year I see it. And I can't say if what it caught was really bad or not (i.e. whether it woould have done any damage).
Scott (or was it Mike) has commented at least once on these forums that using Suhosin with ASL isn't recommended and I'm tempted to remove it myself, BUT I'm using it extensively to allow me to disable dangerous php functions and then re-enable them on a site by site basis. However, with the use of php_fastcgi, I suspect there's no need for it now. I think. I've not thought about it really. Can functions be re-enabled through the use of a site-specific php.ini by not including them in the function blacklist line?
The solution is to move the default suhosin configuration directives back into php.ini
But on to your question....there are only the rarest of occasions when suhosin catches something that ASL does not. Maybe once or twice a year I see it. And I can't say if what it caught was really bad or not (i.e. whether it woould have done any damage).
Scott (or was it Mike) has commented at least once on these forums that using Suhosin with ASL isn't recommended and I'm tempted to remove it myself, BUT I'm using it extensively to allow me to disable dangerous php functions and then re-enable them on a site by site basis. However, with the use of php_fastcgi, I suspect there's no need for it now. I think. I've not thought about it really. Can functions be re-enabled through the use of a site-specific php.ini by not including them in the function blacklist line?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
Re: Suhosin is it necessary by having asl?
Hello Faris,
Thank you for your help.
I saw in the forum that there is a package suhosin in the repositories atomic, but I do not think it is a good idea to use it since I use cPanel and it must be installed via easyapache (which could break apache).
I use suphp and in theory it easy to create a local php.ini but unfortunately for me, it is not considered
I had a intuition that suhosin is no longer necessary with asl and wanted a confirmation, so I think the best solution is to disable it.
Again thank you for your help.
Thank you for your help.
I saw in the forum that there is a package suhosin in the repositories atomic, but I do not think it is a good idea to use it since I use cPanel and it must be installed via easyapache (which could break apache).
I use suphp and in theory it easy to create a local php.ini but unfortunately for me, it is not considered
I had a intuition that suhosin is no longer necessary with asl and wanted a confirmation, so I think the best solution is to disable it.
Again thank you for your help.
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
Re: Suhosin is it necessary by having asl?
I have used suhosin with ASL and plesk for years and haven't had any problems that couldn't be easily overcome with some tuning of the rules. Typically its just people need you to up the amount of post/get vars or max page size a little which isn't too bad. I would recommend using it where possible (cpanel easyapache is definitely not easy)