Closed chrcoluk closed 8 years ago
bef
commented
8 years ago You can easily use PHP-CLI without Suhosin by omitting the extension=suhosin.so line in your php.ini. E.g. on Debian, the CLI version has its own configuration directory /etc/php5/cli.
chrcoluk
commented
8 years ago I tried that already it was not present in the main php.ini but was present in the fpm container. Suhosin appears in phpinfo, but does nothing. Nothing blocked and nothing logged. It only works when in the main php.ini file.
I think the debian situation of a dedicated ini file just for cli is unusual, that is not the default configuration for php when compiled from src.
Although you have gave me an idea how to solve this now as I assume you changing the tag to question means feature rejected, the answer it would seem one has to configure php so it has 2 .ini files, one just for cli and the normal used for web.
bef
commented
8 years ago Correct. I don't see a reason why suhosin would need to be disabled when it does not have to be loaded in the first place for CLI execution.
Another solution would be to just wrap your php cli handler with a short shell script that does something like php-cli -n -c /etc/php-cli.ini "$@".
chrcoluk
commented
8 years ago I already setup fpm now to use a new php.ini just appending -c /path/to/config to the start command. :)
Works fine, I just have to make sure I dont forget there is now a second ini file for it. Thanks also for the tip on the wrapper.
I think suhosin should only be used when php is loaded from the web, but not when php is run on cli called via cron. I respect this is my opinion so the request is to add a setting such as suhosin.cli.enable set to on or off by the administrator.
I assume this can be detected by this status "attacker 'REMOTE_ADDR not set"