Opened 3 years ago

Closed 3 years ago

#1486321 closed Bugs (fixed)

incompatibility with php5-suhosin

Reported by: cebe Owned by:
Priority: 3 Milestone: 0.4-beta
Component: PHP backend Version: 0.3.1
Severity: normal Keywords: suhosin
Cc:

Description

RC doesn't work with Suhosin, which is a good security protection for php.

First, RC use preg_replace() with /e modifier at least in program/include/rcmail.php (line 691).

Second, the RC session stop immediatly. So it's impossible to stay connected more than a second.

Change History (9)

comment:1 Changed 3 years ago by cebe

  • Milestone changed from later to 0.4-beta

comment:2 Changed 3 years ago by alec

We can do nothing about session, because we're using custom sessions handling. Roundcube Installer requires option suhosin.session.enrypt to be off. About /e modifier, here's the list of files where we use it:

rcube_template.php
rcmail.php
rcube_mail_mime.php
lib/Mail/mime.php
lib/Mail/mimePart.php

We're using it in a safe way, but we should handle this without /e modifier. The problem is with external PEAR::Mail_MIME library. Even if we fix our code, there will be still problem with it. So, maybe we should require disabled suhosin.executor.disable_emodifier option in Installer? I'll write to Mail_MIME's bugtracker.

comment:3 in reply to: ↑ description Changed 3 years ago by SeeSchloss

Replying to cebe:

RC doesn't work with Suhosin, which is a good security protection for php.

Second, the RC session stop immediatly. So it's impossible to stay connected more than a second.

This problem with sessions and Suhosin will only happen if the provided .htaccess file isn't used, maybe your HTTP server isn't configured to use it, or maybe you're running Roundcube through php-cgi instead of mod_php (so php_flag has no effect).

comment:4 Changed 3 years ago by cebe

Ok, thanks for your answers.
In fact, I haven't replace the old .htaccess with the last one.
So, I've also set suhosin.executor.disable_emodifier to off in htaccess.

comment:5 Changed 3 years ago by cebe

Oups, another problem with suhosin :
ALERT - configured request variable value length limit exceeded - dropped variable '_message' (attacker 'x.x.x.x', file '/home/rcube/roundcube/index.php')

comment:6 Changed 3 years ago by cebe

And another quite frequent :
ALERT - header() - wanted to send a HTTP header with an ASCII NUL in it (attacker 'xx.xx.xx.xx', file '/home/roundcube/program/steps/mail/get.inc', line 109)

comment:7 Changed 3 years ago by alec

First: increase suhosin.request.max_value_length, we cannot handle this in other way.
Second: I'm not sure how to handle this alert. Could you provide a sample message that produces this alert?

comment:8 Changed 3 years ago by cebe

  • Severity changed from major to normal

No, sorry, I can't : it's from some customers.

comment:9 Changed 3 years ago by alec

  • Resolution set to fixed
  • Status changed from new to closed

I don't thing we can do something with these alerts. Incomaptybility with suhosin.executor.disable_emodifier fixed in [09173561].

Note: See TracTickets for help on using tickets.