Xoops and SUHOSIN

SUHOSIN is a PHP extension from the Hardened PHP Project. Its purpose is to protect the server from various attacks. It is becoming popular among hosting providers. One its techniques is to limit the number of variables in $_POST, $_GET and $_REQUEST.

Xoops puts lots of variables in $_POST when modules update group permissions (groupperm.php). For example in User Profile, that comes optional with the core, on each of the 21 standard fields 'editable from profile' can be set Yes or No for each group.

With a standard install of SUHOSIN the permissions tab in User Profile will not work with more than four groups - yes FOUR groups!

Here's why. SUHOSIN's default limit for the maximum number of variables in $_POST is 200. It seems to count both the 'index' and 'value' bits within $_POST as separate variables so updating the permissions in User Profile with four groups results in 4 x 21 x 2 = 168 and with five groups it's 210. So with more than four groups and it fails.

This problem will also show up when updating a single category/topic/item within a module where you have lots of groups. For example in the News module, submit, approve and view permissions are set in each topic so here you are limited to 33 groups (33 x 3 x 2 = 198). This might sound like a lot of groups but with XOOPS modules offering fine-grained control over their categories/topics a site with several modules can easily exceed this. Groups are good and add power to the system.

Can the core team include in their 'standard requirements/recommendations' a maximum number of variables that can be handled by the post method?

If we had that then site admins can negotiate with the host providers, or set there own servers up in the comfort of knowing how ever many groups or category/topics they create they won't suddenly find the site failing.

Full story in next post ...

Xoops and SUHOSIN - my story

I finally discovered the impact of SUHOSIN after six months of trying to track down why several popular modules wouldn't work when uploaded to a hosted server. They worked OK on a development set-up (Windows XP) but failed on a hosted Linux server.

The modes of failure on the server were unhelpful which made troubleshooting complicated. In some instances it returned a simple 'server error' page, and in the server log it just said something about 'incomplete headers'. In other instances the attempt at updating permissions seemed to complete OK but the permissions hadn't actually been updated.

What I believe was happening was that SUHOSIN just cut off the posted data after reaching its set limit. When that messed up an array within the $_POST, say by letting an 'index' variable through but not its associated 'value' variable, then I got an error page, but if the data in the $_POST was still a valid collection (albeit with some missing) then the process continued but some expected updates didn't get done!

Before realizing that SUHOSIN was the culprit I spent some time trying to replicate my host's environment on the XP machine. Dumped IIS and installed a WAMP set up, changed the Apache version, changed the MySql version, changed the PHP version, changed from PHP as a module to fast-cgi, and finally changed all the php.ini settings to match those on the host (well those I could understand anyway!).

The thing that stumped me was getting SUHOSIN itself. Over at its home (Hardened php project) it's downloadable as a set of files that need compiling. I guess that's something Linux users are good at but for inadequates like me it has to be a dll file. Links around the Internet pointed to the forums area at SUHOSIN's home as a place to get the dll but it seemed to be permanently in 'maintenance' mode (still is today). I eventually found one, but unfortunately I can't remember where and recent attempts at searching hasn't turned it up a second time. If someone knows where this can be downloaded I'm sure others would benefit. Alternatively, if anyone can offer download space then email me at support.xoops.forums@origma.demon.co.uk and I can send a copy.

To continue ...
Once installed on the WAMP set up SUHOSIN is quite easy to experiment with. When it catches something it writes an error report to XP's Event Viewer saying what happened. Also you can put it into 'simulation' mode where it reports any breaches but lets the processing continue. All the parameters are set in php.ini so troubleshooting can be easy and quick. However if you are working in an IDE like Eclipse it will conflict with the debugger which is a shame.

After playing with it for a while I was able to work out what value I needed for the maximum variables in $_POST parameter. My site had 46 groups (yes yes I know it's a lot!) and I wanted to add new fields to the User Profile module bringing them to a total of 30. This meant I needed a value of 2852 (from 46 x 30 x 2). The hosting provider had already viewed the default figure of 200 too low and had doubled it to 400. But this was a little short of the figure I needed.

In discussion with them they raised the value to 1024 but pointed out the whole point of the restriction was to protect the server so were reluctant to simply whack the figure up just because I asked. Their position went something like, 'if the guy that wrote this stuff thought 200 a safe number to use then five times that number is probably as far as we want to go'. Quite reasonable really, they've bought into SUHOSIN to give them protection so it makes no sense to open it up and risk the bad boys getting in.

At the moment I have changed the management arrangements of the site along with several module hacks and reduced the groups to a bare minimum of 23 and ambitions for the User profile module have been reduced by restricting the field count to 26. This would need a $_POST variables limit of 1196 and I have re-approached the provider hoping that this modest change will be acceptable.

I hope my story will help others running sites, and indicate an area where the core, and module, developers might like to look at. SUHOSIN isn't going away.

Re: Xoops and SUHOSIN - my story
  • 2009/6/10 18:24

  • Mamba

  • Moderator

  • Posts: 11276

  • Since: 2004/4/23

Thank you very much for this excellent report! Very much appreciated!

I'll make sure that we'll add this info to the "Readme" file as recommendation.
Use 2.5.10 | Docs | Modules | Bugs

Re: Xoops and SUHOSIN
  • 2009/6/10 21:41

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1

You may make maybe a feature request for it also. As I said before, some XOOPS forms might be revised for having less variables in the form.
I find the 200 limit very sound and acceptable (altough probably not practical)!
It should certainly be something to strive for.


Who's Online

60 user(s) are online (41 user(s) are browsing Support Forums)

Members: 0

Guests: 60



Goal: $100.00
Due Date: Feb 28
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits