Suhosin is it necessary by having asl?

Support/Development for PHP
copernic2006
Forum User
Forum User
Posts: 86
Joined: Wed Oct 03, 2012 2:51 pm
Location: Algiers

Suhosin is it necessary by having asl?

Unread post by copernic2006 »

Hello,
Suhosin is causing me a lot of problem with a site (vivoo cms), I tried to change the settings by maximizing but I still get the same error (configured request variable total name length limit exceeded - dropped variable).
I even tried to create a local php.ini file for the account, but that is not taken into account (the site still takes the value defined in php.ini server)
Suhosin is needed (since asl is installed)? Is that I can safely disable?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Suhosin is it necessary by having asl?

Unread post by faris »

Your problem with your local php.ini is that it overrides defaults in the main php.ini. But if you have the Atomic suhosin package installed, the configuration directives for it are loaded in suhosin.ini. As the configuration files are loaded alphabetically, and as the local php.ini files appear to be loaded after the main php.ini, then your changes get ignored (php.ini> local php.ini> suhosin.ini so suhosin.ini wins!)

The solution is to move the default suhosin configuration directives back into php.ini

But on to your question....there are only the rarest of occasions when suhosin catches something that ASL does not. Maybe once or twice a year I see it. And I can't say if what it caught was really bad or not (i.e. whether it woould have done any damage).

Scott (or was it Mike) has commented at least once on these forums that using Suhosin with ASL isn't recommended and I'm tempted to remove it myself, BUT I'm using it extensively to allow me to disable dangerous php functions and then re-enable them on a site by site basis. However, with the use of php_fastcgi, I suspect there's no need for it now. I think. I've not thought about it really. Can functions be re-enabled through the use of a site-specific php.ini by not including them in the function blacklist line?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
copernic2006
Forum User
Forum User
Posts: 86
Joined: Wed Oct 03, 2012 2:51 pm
Location: Algiers

Re: Suhosin is it necessary by having asl?

Unread post by copernic2006 »

Hello Faris,
Thank you for your help.
I saw in the forum that there is a package suhosin in the repositories atomic, but I do not think it is a good idea to use it since I use cPanel and it must be installed via easyapache (which could break apache).

I use suphp and in theory it easy to create a local php.ini but unfortunately for me, it is not considered

I had a intuition that suhosin is no longer necessary with asl and wanted a confirmation, so I think the best solution is to disable it.

Again thank you for your help.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: Suhosin is it necessary by having asl?

Unread post by hostingguy »

I have used suhosin with ASL and plesk for years and haven't had any problems that couldn't be easily overcome with some tuning of the rules. Typically its just people need you to up the amount of post/get vars or max page size a little which isn't too bad. I would recommend using it where possible (cpanel easyapache is definitely not easy)
Post Reply