[Mapbender-users] take care - suhosin can effect Mapbender administration and block requests

Astrid Emde astrid.emde at wheregroup.com
Tue Dec 6 06:40:58 EST 2011

Hash: SHA1

Stephan Holl schrieb:
> Hello Astrid,
> Astrid Emde <astrid.emde at wheregroup.com>, [20111206 - 11:39:20]
>> Hash: SHA1
>> Hello,
>> some of you may have problems saving changes within the Mapbender
>> administration. This is not a Mapbender problem. It can be caused by
>> Suhosin, as Suhosin defines limits for example for number of POST
>> variables, maximum length of arrays or maximum length of values.
>> What is Suhosin?
>> Suhosin is an open source patch for PHP. "The goal behind Suhosin is
>> to be a safety net that protects servers from insecure PHP coding
>> practices." In some Linux distributions (notably Debian and Ubuntu) it
>> is shipped by default.
>> http://en.wikipedia.org/wiki/Suhosin
>> What can you do?
>> You can deactivate Suhosin to run the simulation mode:
>>  suhosin.simulation = on
> Isn't it the right way to make Mapbender more secure (speaking of
> changing the coding-practice to make it compatible with suhosin) than
> disabling the PHP-harden-framework?
> /me is confused.
> 	Stephan

Hi Stephn,

 I do not want you to deactivate suhosin at all. It has only some
default configurations that ado not fit and are too restrictive.

Please run suhosin.simulation to find out which suhosin variables you
have to change. After the change you can deactivate suhosin.simulation

For example has suhosin a variable suhosin.post.max_vars which has the
value 200 by default.
When you update a WMS which has 200 Layer suhosin.post.max_vars is to
low and the request is blocked, which makes no sense.


So do not disable suhosin but change the variables as they are set too
low for Mapbender.
- --

Mit freundlichen Grüßen

Astrid Emde

- ----------------------------------
Aufwind durch Wissen!

Qualifizierte OpenSource-Schulungen
bei der www.foss-academy.eu

- ----------------------------------

 Astrid Emde
 WhereGroup GmbH & Co.KG
 Eifelstraße 7
 53119 Bonn

 Fon: +49(0)228 90 90 38 - 19
 Fax: +49(0)228 90 90 38 - 11

 astrid.emde at wheregroup.com

Amtsgericht Bonn, HRA 6788
- -------------------------------
WhereGroup Verwaltungs GmbH
vertreten durch:
Olaf Knopp, Peter Stamm
- -------------------------------
 pgp-public key:
  Signierte und/oder verschlüsselte Nachrichten sind sehr willkommen
  Signed and/or encrypted mail is highly appreciated
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Mapbender_users mailing list