Bypass suhosin maximum length for GET requests

[emily-d]

When using suhosin default .get.max_value_length and the NO_RESPONSE_PAGE option, the order won't be processed and the user will be redirected to the history page.

We can either alert the webmaster in the backoffice that .get.max_value_length is too low or we can bypass suhosin all together with this fix :

// modules/tggatos/controllers/front/userreturn.php
$message = Tools::getValue('DATA');
// Suhosin maximum length for GET requests (suhosin.get.max_value_length) is 512 long by default, this is too 
// small for ATOS response (1000 or more), so the response will be empty
// "We can bypass suhosin by re-building the $_GET", see http://stackoverflow.com/questions/12718609/how-to-override-suhosin-max-value for reference.
if (empty($message) && (ini_get('suhosin.get.max_value_length') == '512'))
{
    $_GET = array();
    $params = explode('&', $_SERVER['QUERY_STRING']);
    foreach ($params as $pair) {
        list($key, $value) = explode('=', $pair);
        $_GET[urldecode($key)] = urldecode($value);
    }
    $message = Tools::getValue('DATA');
}

[TrogloGeek]

Such a reconstruction of $_GET array is kind of a bad idea as it is unfiltered. It could lead to security breaches. Moreover (ini_get('suhosin.get.max_value_length') == '512') should be replaced by something like (ini_get('suhosin.get.max_value_length') < strlen($_SERVER['QUERY_STRING'])).

But you're right about a thing : low suhosin limitations should be tracked for get, post and request filters and alerted in module's back office, logged with high severity in front-office context.

FYI, if security filters ain't gonna be added in this solution, I think using parse_str would lead to a more compact and readable solution than manual parsing.