天天看點

用Suhosin加強PHP腳本語言安全性

<a href="http://www.hardened-php.net/suhosin/">http://www.hardened-php.net/suhosin/</a>

Suhosin 是一個韓語的音譯,意思大約是守護天使,但是別誤會 Hardened-PHP 是由韓國人組成,它其實是由三名知名的 PHP 保安專家和 PHP 核心編程人員合作的網站。

Suhosin 由兩部分組成,第一部份是 PHP 核心的補丁,提供低階的安全保護,例如緩衝區溢滿等,第二部分是一個 PHP 擴充模組,提供多項保護功能,包括:

自動把 cookies 加密/解密

容許關閉 preg_replace() 中的 /e 選項

容許關閉 eval()

透過設定函式呼叫層數的限制,避免出現無窮遞歸(infinite recursion)

防止應用程式修改 memory_limit

保護 mail() 免受「newline 攻擊」

保護 preg_replace() 免受「/0 攻擊」

自動加密/解密 session 數據

保護 session 免受騎劫

若果用戶呈交的資料包含 GLOBALS、_GET、_COOKIE 等敏感名稱,一律過濾掉

容許設定用戶呈交的資料的數量和長度上限

從上載檔案中自動禁止那些可以在伺服器上執行的程式

<a href="http://blog.m6699.com/diomedea/article/29073.html">http://blog.m6699.com/diomedea/article/29073.html</a>

<a href="http://www.93198.com/Article/wl/Php/3707.html">http://www.93198.com/Article/wl/Php/3707.html</a>

<a href="http://www.jefflei.com/post/295.html">http://www.jefflei.com/post/295.html</a>

<a href="http://clyang.net/blog/2009/02/09/177">當apache的errorlog出現configured request variable name length limit exceeded</a>

之前在寫Picasa2Wordpress的時候,測試的時候,遇到一個詭異的問題,在我有權限能access的機器們上面跑,就是有一台跑不起來,後來查了一下apache2的log才發現,原來是php suhosin module的問題,預設最大的POST及GET變數名稱最大隻能夠是64字元,但是Picasa POST出去的卻遠超過,是以就被檔下來了。

解決方法很簡單,編輯/etc/php5/apache2/conf.d/suhosin.ini,加上下面這三行即可:

suhosin.request.max_varname_length=128 suhosin.get.max_name_length=128 suhosin.post.max_name_length=128

搞定收工。

<a href="http://advosys.ca/papers/web/62-php-hardening-suhosin.html">http://advosys.ca/papers/web/62-php-hardening-suhosin.html</a>

I never had a problem with it before. I've seen it strip variables and prevent server requests in the log files and it always seemed to help. Last night I ran into something annoying: Suhosin limits the character length for any request variable. It doesn't truncate the value as you might expect, it drops the variable completely.

The Fix

Quote:

Defines the maximum length of a variable that is registered through a POST request.

The default character limit is 65,000.

Method 1: Obviously, you can just disable Suhosin to fix the problem. Remove the suhosin.o file from your php.ini config file and restart Apache.

Method 2: You probably want to keep Suhosin around so a different approach is to edit the configuration file. The file is named suhosin.ini, following the PHP ini configuration system. I added these lines:

Code:

Restart apache.

Method 3: Alternatively, you can change these values per user using .htaccess. Edit the .htaccess file in the user directory and set the parameters to what you want. Here is an example:

Conclusion

I hope this helps you if you ever run into the same situation. Perhaps it will save you some time. I know if there had been a post labeled "PHP POST character limit" and was indexed by google, I would have an hour of my time saved. Alas, there isn't so I'm making one.