dehnavi / get-simple-cms

Automatically exported from code.google.com/p/get-simple-cms
GNU General Public License v3.0
0 stars 0 forks source link

PHP security issue #316

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I got blocked by the datacenter firewall bacause of the script error (?) in 3.0.

php suhosin was activated

- because php memory_limit option was set to negativ value (-1) in 
/admin/inc/thumb.php line 111 (commenting helps).

Is this still the case with 3.1?

Original issue reported on code.google.com by borislav...@gmail.com on 25 Apr 2012 at 12:22

GoogleCodeExporter commented 9 years ago
Yes this is a part of the thumb.php script, it sets memory to all available to 
perform image creation.

This is a security feature of the sushosin extension.
http://www.hardened-php.net/suhosin/configuration.html#suhosin.memory_limit

I guess this can be made a config option in the future, I don't think a limit 
of -1 is a optimal use.

Original comment by tablatronics on 25 Apr 2012 at 1:01

GoogleCodeExporter commented 9 years ago
Well, it should be addressed, I got pretty uncomfortable when I was upping a 
site, and it broke down. Maybe to add it to a readme file?

I don't know how suhoshin / thumb script works, but it might the that the 
script actually tried to take too much ram, and not that option -1 itself was 
the problem. When I was upping many smaller images, it works OK.

What do you think?

Is there a better option I should put there?

Original comment by borislav...@gmail.com on 25 Apr 2012 at 1:24

GoogleCodeExporter commented 9 years ago
Ideally it would be the limit your host allows or the limit you expect you 
might need to resize images. 

It is typically set in your php ini config.

Suhoshin is an external extension. If you have access to it, you can turn off 
this behavior. It is not typical behavior of php itself.

But I have to agree that ini overrides are kludgy, and should at least be set 
by users themselves in php.ini, by htaccess, or by host, and then at a 
application level per config.

You can just keep upping it, the script usually will error out with the memory 
it tried to use when it fails.

Original comment by tablatronics on 25 Apr 2012 at 9:09

GoogleCodeExporter commented 9 years ago
Thanks for your reply; I will try to play with it, however I doubt I will be 
able to do much, as it is a shared server with no php.ini access or custom 
functions.

The server guy commented out a line, and it works now.

Original comment by borislav...@gmail.com on 1 May 2012 at 8:38