Hey guys, any idea how to respond on this "bugreport"?
I personally think: 1. if anybody installes a php security module, the documentation should be read 2. if the documentation was read, the users are able to set appropriate settings 3. if anybody don't like to act suhosin and use the simulation mode, this should be done via ini setting I agree, that we don't have included any documentation, which is caused by missing documentation in the upstream tarball and upstream provides the docs online. Guessing from the bugreport, I think the cause for the "dataloss" was, that suhosin blocked the execution of the script, cause the values are to much/large, which can be adjusted via ini settings. Not checking, if the values have reasonable content, is not a problem of suhosin, but of the application. There are many other scenarios (unrelated to suhosin) which can cause empty values. Thanks and with kind regards, Jan. -- Never write mail to <w...@spamfalle.info>, you have been warned! -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ ------END GEEK CODE BLOCK------
--- Begin Message ---Package: php5-suhosin Version: 0.9.27-1 Severity: critical Justification: breaks unrelated software Suhosin nulls the parameters of a very large mysql update resulting in null values being submitted to the database, where data was expected. It seems more reasonable that Suhosin would instead kill the update queries if it considers them to be an attack. And log it so the admin can make appropriate changes. As it is, it is highly destructive, and not immediately apparent when suhosin is first installed/updated. It only appears later when the end-users generate a large enough update. A ticking time bomb for the database. This has been certainly more destructive to me in the last week, than any "attack" in the last 10 years. Until this is resolved I would suggest Suhosin be enabled in simulation mode by default. Thank you, David -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18.8-linode16 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages php5-suhosin depends on: ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny2 server-side, HTML-embedded scripti ii libc6 2.7-18 GNU C Library: Shared libraries ii php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny2 command-line interpreter for the p php5-suhosin recommends no packages. php5-suhosin suggests no packages. -- no debconf information -- To unsubscribe, send mail to php-suhosin-maintainers-unsubscr...@ned.snow-crash.org.
--- End Message ---
signature.asc
Description: This is a digitally signed message part.