Suhosin upload verification script about suhosin HOT 13 OPEN

I will be looking into it this weekend.

from suhosin.

How did it go? I got several new reports about the problem, however I wouldn't like to remove suhosin from the project because of that.

from suhosin.

current git version should fix the problem

from suhosin.

Great, thanks! Would it be possible to have a setting which would not drop the files if "upload verification script" does not exist or is not executable?

from suhosin.

It seems to be a bad idea to not drop files if there is a problem with the script. It is best to default to otherwise people might never realize that their filter script is not working.

from suhosin.

Yes, but the same could be said from the other point of view: if configuration line is still added to php.ini, but user accidentally removed the file or just transferred the php.ini file from his other server, his customers should call and notify him that all of the files are dropped. Another scenario: a client adds upload verification line to php.ini, but makes a typo, and leaves his huge web hosting server to work. That really wouldn't increase the reputation of the hosting company. In web hosting sphere that means less stability. I am not asking to change the defaults, I just say it would be great to have an ability to change the setting's behavior. Or, if suhosin has an ability to do that, just show a PHP Notice in case it's not possible to use the upload script, but not to drop the files. Thank you for understanding.

from suhosin.

I had installed suhosin on two servers with cpanel. The issue seem that when the upload verification script does not allow uploaded file there is no message in /var/log/messages and neither in error_log files in user home directory.
I do not know if is a suhosin problem or a cpanel enviroment problem.
On those two servers we use the latest suhosin but on other server for example we use the suhosin provided by cpanel ( v0.9.33) and there seem to work well.

Any ideea ?

from suhosin.

@TempleNode: Please provide additional information: PHP versions and variants (e.g. CGI, mod_php,....), Suhosin-Configuration (in particular suhosin.log.* ), verification script. Does Suhosin usually log to /var/log/messages on that server? Is your verification script working properly? Maybe you do not have the suhosin patch, but try to use constants such as S_ALL with suhosin.log.*?

from suhosin.

It is also important to know what you mean by "latest" Suhosin. Only a github checkout gives you the "fixed" version at the moment.

from suhosin.

PHP 5.4.31 (cgi-fcgi) (built: Aug 17 2014 19:40:53)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
with XCache v3.1.0, Copyright (c) 2005-2013, by mOo
with the ionCube PHP Loader v4.6.1, Copyright (c) 2002-2014, by ionCube Ltd.
with XCache Cacher v3.1.0, Copyright (c) 2005-2013, by mOo
with Suhosin v0.9.37-dev, Copyright (c) 2007-2014, by SektionEins GmbH

I had tried different configuration even to create a separate files where to log those alerts. When i had posted two days ago than was installed so it was the latest in that time.

Yes upload script working fine. The file is blocked i get errro code 402 which is set in configuration just i do not get warning message that file was droped.

On other servers when suhosin was installed from cpanel sources seem to work fine.

from suhosin.

Hello,

for me taking out "2>&1" from ufilter.c helped.

I used latest suhosin from Github (597ab68). PHP runs as CGI, I have tested 5.3.29, 5.4.32, 5.5.16 and 5.6.0.

My verification script executes another script:

#!/bin/sh

file="$1"

CHECK=`/opt/maldetect/maldet --config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$file"`
if [ "$CHECK" = "1 maldet: OK" ]; then
        echo 1;
else
        echo 0;
fi

With "2>&1" I always get "fileupload verification script disallows file - file dropped".

If I use

#!/bin/sh
echo 1;

as verification script it worked with "2>&1".

from suhosin.

Well my guess is that maldet outputs something to stderr which disturbs your checking script's logic in case stderr is redirected to stdout by 2>&1

from suhosin.

I thought that too. If I execute the commands as root on console, I do not get different outputs with or without "2>&1". I tried to exec() both (script and maldet) in PHP, no difference.

I edited the uploadcheck script to log to a file. maldet was executed and gave a positive result, but although suhosin logged that the uploadscript disallowed the file.

...
if [ "$CHECK" = "1 maldet: OK" ]; then
        echo 1;
        echo "OKOKOK" >> /tmp/up.log
else
        echo 0;
fi

In my log I found "OKOKOK" but the file upload was disallowed.

from suhosin.