Closed emily-d closed 11 years ago
Such a reconstruction of $_GET array is kind of a bad idea as it is unfiltered. It could lead to security breaches. Moreover (ini_get('suhosin.get.max_value_length') == '512')
should be replaced by something like (ini_get('suhosin.get.max_value_length') < strlen($_SERVER['QUERY_STRING']))
.
But you're right about a thing : low suhosin limitations should be tracked for get, post and request filters and alerted in module's back office, logged with high severity in front-office context.
FYI, if security filters ain't gonna be added in this solution, I think using parse_str
would lead to a more compact and readable solution than manual parsing.
When using suhosin default .get.max_value_length and the NO_RESPONSE_PAGE option, the order won't be processed and the user will be redirected to the history page.
We can either alert the webmaster in the backoffice that .get.max_value_length is too low or we can bypass suhosin all together with this fix :