[Mapbender-users] take care - suhosin can effect Mapbender administration and block requests

Tue Dec 6 06:40:58 EST 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephan Holl schrieb:
> Hello Astrid,
> 
> Astrid Emde <astrid.emde at wheregroup.com>, [20111206 - 11:39:20]
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
> 
>> Hello,
> 
>> some of you may have problems saving changes within the Mapbender
>> administration. This is not a Mapbender problem. It can be caused by
>> Suhosin, as Suhosin defines limits for example for number of POST
>> variables, maximum length of arrays or maximum length of values.
> 
>> What is Suhosin?
>> Suhosin is an open source patch for PHP. "The goal behind Suhosin is
>> to be a safety net that protects servers from insecure PHP coding
>> practices." In some Linux distributions (notably Debian and Ubuntu) it
>> is shipped by default.
>> http://en.wikipedia.org/wiki/Suhosin
> 
>> What can you do?
>> You can deactivate Suhosin to run the simulation mode:
>>  suhosin.simulation = on
> 
> Isn't it the right way to make Mapbender more secure (speaking of
> changing the coding-practice to make it compatible with suhosin) than
> disabling the PHP-harden-framework?
> 
> /me is confused.
> 
> 	Stephan
> 

Hi Stephn,

 I do not want you to deactivate suhosin at all. It has only some
default configurations that ado not fit and are too restrictive.

Please run suhosin.simulation to find out which suhosin variables you
have to change. After the change you can deactivate suhosin.simulation
again.

For example has suhosin a variable suhosin.post.max_vars which has the
value 200 by default.
When you update a WMS which has 200 Layer suhosin.post.max_vars is to
low and the request is blocked, which makes no sense.

http://www.hardened-php.net/suhosin/configuration.html#suhosin.post.max_vars

So do not disable suhosin but change the variables as they are set too
low for Mapbender.
- --

Mit freundlichen Grüßen

Astrid Emde

- ----------------------------------
Aufwind durch Wissen!

Qualifizierte OpenSource-Schulungen
bei der www.foss-academy.eu

- ----------------------------------

 Astrid Emde
 WhereGroup GmbH & Co.KG
 Eifelstraße 7
 53119 Bonn
 Germany

 Fon: +49(0)228 90 90 38 - 19
 Fax: +49(0)228 90 90 38 - 11

 astrid.emde at wheregroup.com
 www.wheregroup.com

Amtsgericht Bonn, HRA 6788
- -------------------------------
Komplementärin:
WhereGroup Verwaltungs GmbH
vertreten durch:
Olaf Knopp, Peter Stamm
- -------------------------------
 pgp-public key:
 http://pgp.mit.edu:11371/pks/lookup?search=0x06DA52D72D515284
  Signierte und/oder verschlüsselte Nachrichten sind sehr willkommen
  Signed and/or encrypted mail is highly appreciated
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAk7d/0oACgkQBtpS1y1RUoQRpwCfWyb9i+yh2d2g3C7FSDcUkjju
lxwAnRwP+p0BKIPaE3M47S6yKQUc49Ru
=oS41
-----END PGP SIGNATURE-----