[horde] strange errors in horde-log

Michael M Slusarz slusarz at horde.org
Fri May 20 16:54:52 UTC 2011


Quoting Vilius Šumskas <vilius at lnk.lt>:

>> Am 20.05.2011 11:00, schrieb Vilius Šumskas:
>> >> Am 20.05.2011 10:35, schrieb Ronan SALMON:
>> >>> Michael M Slusarz <slusarz at horde.org> a écrit :
>> >>>
>> >>>> I really hope this is not another thing that suhosin breaks.
>> >>>
>> >>> Although it is specified in docs files, you probably could add a suhosin
>> >> detection script in the test.php files
>> >>> (and/or the horde/admin/config pages) and display some kind of
>> warning.
>> >> It should then help a lot admins that
>> >>> didn't read carefully the docs files or didn't even know that  
>> they had the
>> >> suhosin extension enabled.
>> >>
>> >> instead of forcing admins to exclude an application from security-
>> extensions
>> >> the application has to be developed/tested against suhosin since this is
>> >> not a exotic extension
>> >>
>> >> H3 has/had no problems with suhosin also not with mod_security (except
>> >> mail-send)
>> >> and if H4 has problems here something went wrong
>> >
>> > It is not exotic, bad it's amateur and badly written.
>>
>> who is saying this?
>> you?
>
> No. Core PHP team. It was one of the main reasons why it wasn't  
> accepted into PHP core in the first place. But that's not really the  
> topic of this thread.
>
> Considering the amount of questions we have on the list regarding  
> broken PHP installations I support showing notices in test.php  
> regarding suhosin.

Agreed that suhosin has all sorts of problems.  When it doesn't let  
you do things that are *explicitly* part of the the HTTP specs, for  
example, no amount of argument is going to convince me otherwise.  
(According to suhosin, the null character is a security threat.   
What?!?!  That is one of the worst assumptions I have ever seen.)

Anybody can create "security patches" that simply disable large chunks  
of PHP.  Congratulations.  That's just sloppy/bad coding at best.

That being said, IMP 5.1 will try to work around this brokenness when  
it comes to accessing search mailboxes.  And for the above - I don't  
know that this is something that suhosin is causing or not.  It was  
just a guess.  But given that one issue will be going away, and one  
has not been conclusively proven to cause the issue, not sure if an  
explicit warning is necessary.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the horde mailing list