Comments (13)
I will be looking into it this weekend.
from suhosin.
How did it go? I got several new reports about the problem, however I wouldn't like to remove suhosin from the project because of that.
from suhosin.
current git version should fix the problem
from suhosin.
Great, thanks! Would it be possible to have a setting which would not drop the files if "upload verification script" does not exist or is not executable?
from suhosin.
It seems to be a bad idea to not drop files if there is a problem with the script. It is best to default to otherwise people might never realize that their filter script is not working.
from suhosin.
Yes, but the same could be said from the other point of view: if configuration line is still added to php.ini, but user accidentally removed the file or just transferred the php.ini file from his other server, his customers should call and notify him that all of the files are dropped. Another scenario: a client adds upload verification line to php.ini, but makes a typo, and leaves his huge web hosting server to work. That really wouldn't increase the reputation of the hosting company. In web hosting sphere that means less stability. I am not asking to change the defaults, I just say it would be great to have an ability to change the setting's behavior. Or, if suhosin has an ability to do that, just show a PHP Notice in case it's not possible to use the upload script, but not to drop the files. Thank you for understanding.
from suhosin.
I had installed suhosin on two servers with cpanel. The issue seem that when the upload verification script does not allow uploaded file there is no message in /var/log/messages and neither in error_log files in user home directory.
I do not know if is a suhosin problem or a cpanel enviroment problem.
On those two servers we use the latest suhosin but on other server for example we use the suhosin provided by cpanel ( v0.9.33) and there seem to work well.
Any ideea ?
from suhosin.
@TempleNode: Please provide additional information: PHP versions and variants (e.g. CGI, mod_php,....), Suhosin-Configuration (in particular suhosin.log.* ), verification script. Does Suhosin usually log to /var/log/messages on that server? Is your verification script working properly? Maybe you do not have the suhosin patch, but try to use constants such as S_ALL with suhosin.log.*?
from suhosin.
It is also important to know what you mean by "latest" Suhosin. Only a github checkout gives you the "fixed" version at the moment.
from suhosin.
PHP 5.4.31 (cgi-fcgi) (built: Aug 17 2014 19:40:53)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
with XCache v3.1.0, Copyright (c) 2005-2013, by mOo
with the ionCube PHP Loader v4.6.1, Copyright (c) 2002-2014, by ionCube Ltd.
with XCache Cacher v3.1.0, Copyright (c) 2005-2013, by mOo
with Suhosin v0.9.37-dev, Copyright (c) 2007-2014, by SektionEins GmbH
I had tried different configuration even to create a separate files where to log those alerts. When i had posted two days ago than was installed so it was the latest in that time.
Yes upload script working fine. The file is blocked i get errro code 402 which is set in configuration just i do not get warning message that file was droped.
On other servers when suhosin was installed from cpanel sources seem to work fine.
from suhosin.
Hello,
for me taking out "2>&1" from ufilter.c helped.
I used latest suhosin from Github (597ab68). PHP runs as CGI, I have tested 5.3.29, 5.4.32, 5.5.16 and 5.6.0.
My verification script executes another script:
#!/bin/sh
file="$1"
CHECK=`/opt/maldetect/maldet --config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$file"`
if [ "$CHECK" = "1 maldet: OK" ]; then
echo 1;
else
echo 0;
fi
With "2>&1" I always get "fileupload verification script disallows file - file dropped".
If I use
#!/bin/sh
echo 1;
as verification script it worked with "2>&1".
from suhosin.
Well my guess is that maldet outputs something to stderr which disturbs your checking script's logic in case stderr is redirected to stdout by 2>&1
from suhosin.
I thought that too. If I execute the commands as root on console, I do not get different outputs with or without "2>&1". I tried to exec() both (script and maldet) in PHP, no difference.
I edited the uploadcheck script to log to a file. maldet was executed and gave a positive result, but although suhosin logged that the uploadscript disallowed the file.
...
if [ "$CHECK" = "1 maldet: OK" ]; then
echo 1;
echo "OKOKOK" >> /tmp/up.log
else
echo 0;
fi
In my log I found "OKOKOK" but the file upload was disallowed.
from suhosin.
Related Issues (20)
- Handling cookies set on clientside when using encryption HOT 4
- Incompatibility with pcs ext. HOT 3
- Disable or uninstall Suhosin? 404 for everything HOT 1
- Loadable extension for HHVM HOT 1
- Too long syslog line HOT 2
- Ini section HOT 4
- filter HTTP_PROXY HOT 2
- disable URL-based sessions HOT 5
- suhosin should not restrict on cli access HOT 4
- Revive the php < 5.4 support HOT 6
- View log in system with systemd HOT 1
- Segmentation fault with enabled suhosin HOT 1
- http://download.suhosin.org is not acting properly HOT 1
- /suhosin.c:35:10: fatal error: 'php_logos.h' file not found HOT 1
- Apache24 segfault when OPcache + Suhosin are enabled HOT 6
- HTTPS certificate expired on suhosin.org HOT 3
- Repository key expired HOT 2
- ini priority for debian/ubuntu HOT 1
- PHP 5.6 with empty POST array HOT 7
- Need to disable suhosin for one Directory ( live chat ) HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from suhosin.