Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Wikitech

New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension)

 

 

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded


mail at tgries

Feb 16, 2012, 3:54 PM

Post #1 of 7 (422 views)
Permalink
New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension)

For the Hardenend-PHP versions with Suhosin extension,

I wrote a tiny extension https://www.mediawiki.org/wiki/Extension:Suhosin
which is easier to link into LocalSettings for those who need it.

Basically, after some checks, it sets
$wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));

Please check that version for unintended side-effects, I hope there are
none.
Tom

[1] https://www.mediawiki.org/wiki/Extension:Suhosin
[2]
https://www.mediawiki.org/wiki/Manual:Suhosin_%28Hardened-PHP_Project_patch_and_extension%29
Attachments: signature.asc (0.48 KB)


gicodewarrior at gmail

Feb 16, 2012, 4:38 PM

Post #2 of 7 (391 views)
Permalink
Re: New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension) [In reply to]

On Thu, Feb 16, 2012 at 3:54 PM, Thomas Gries <mail [at] tgries> wrote:
> Basically, after some checks, it sets
> $wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));

That doesn't look right.
http://www.hardened-php.net/suhosin/configuration.html#suhosin.get.max_name_length

suhosin.get.max_name_length defaults to 64 because that is only
testing the length of a single key in the URL.

There doesn't appear to be a straightforward mapping between Suhosin
config and $wgResourceLoaderMaxQueryLength.

For example, this calculation appears to produce the maximum query
string length (including the ?).
suhosin.get.max_vars * (suhosin.get.max_totalname_length +
suhosin.get.max_value_length + 1) + suhosin.get.max_vars

However, all likely occurrences of query strings at that length will
fail the Suhosin filters (because there will be many more, smaller
keys/values).

In any case, 64 as a limit for $wgResourceLoaderMaxQueryLength seems
much to small.

~Rusty

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


mail at tgries

Feb 16, 2012, 4:41 PM

Post #3 of 7 (388 views)
Permalink
Re: New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension) [In reply to]

Am 17.02.2012 01:38, schrieb Rusty Burchfield:
> On Thu, Feb 16, 2012 at 3:54 PM, Thomas Gries <mail [at] tgries> wrote:
>> Basically, after some checks, it sets
>> $wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));
>
I corrected that already, it must be suhosin.get.max_value_length .
Attachments: signature.asc (0.48 KB)


gicodewarrior at gmail

Feb 16, 2012, 4:52 PM

Post #4 of 7 (385 views)
Permalink
Re: New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension) [In reply to]

On Thu, Feb 16, 2012 at 4:41 PM, Thomas Gries <mail [at] tgries> wrote:
> Am 17.02.2012 01:38, schrieb Rusty Burchfield:
>> On Thu, Feb 16, 2012 at 3:54 PM, Thomas Gries <mail [at] tgries> wrote:
>>> Basically, after some checks, it sets
>>> $wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));
>>
> I corrected that already, it must be suhosin.get.max_value_length .

I don't believe that is correct either.

This is what "name" and "value" represent to Suhosin.
http://example.com/?name1=value1&name2=value2

In this example, both values are 6 characters long, and the entire
query string is 26 characters.

ResourceLoader uses many names and values in each URL. As long as
individual names and values are under the configured limits, the URL
is OK. However, $wgResourceLoaderMaxQueryLength limits the *total*
length of *all* names and values.

~Rusty

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


mail at tgries

Feb 16, 2012, 5:09 PM

Post #5 of 7 (387 views)
Permalink
Re: New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension) [In reply to]

Hello,
the extension has been also published with the intention that those who
feel competent improve it.
Attachments: signature.asc (0.48 KB)


mail at tgries

Feb 18, 2012, 10:12 AM

Post #6 of 7 (387 views)
Permalink
Re: New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension) [In reply to]

Regarding my extension for dynamic adaption of

$wgResourceLoaderMaxQueryLength in accordance to current suhosin parameter in php.ini

it is correct to assume such a format

http://example.com/?name1=value1&name2=value2&name3=value3


i.e. $wgResourceLoaderMaxQueryLength
= the max. total length of query stream =

( (max. length of names) + (max. length of values) + 2 ) * ( max. number of name/value pairs )

Rusty wrote $wgResourceLoaderMaxQueryLength limits the *total* length of *all* names and values.


Can you confirm ?
Attachments: signature.asc (0.48 KB)


gicodewarrior at gmail

Feb 18, 2012, 7:19 PM

Post #7 of 7 (376 views)
Permalink
Re: New Extension in SVN: Suhosin (for the Hardenend-PHP versions with Suhosin extension) [In reply to]

On Sat, Feb 18, 2012 at 10:12 AM, Thomas Gries <mail [at] tgries> wrote:
> Can you confirm ?

I think the real problem is that $wgResourceLoaderMaxQueryLength is
insufficient for the configuration you desire. It only loosely
correlates with the problem it seems intended to resolve.

Assuming both the number of key/value pairs and the length of each key
resource loader uses is bounded and small, a new configuration
variable to control the maximum value length would be useful for your
purposes.

~Rusty

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.