7.5.9 suhosin check. - UBB.Developers

the current release 7.5.9 has:

Code

// suhosin Check by VNC Web Services (http://www.virtualnightclub.net/)
if(extension_loaded("suhosin") && ini_get("suhosin.get.max_value_length")) {
	if(ini_get("suhosin.get.max_value_length") <= 2048) {
		$suhosin = "You may experience issues with a blank configuration file if you continue, please see <a href=\"http://www.ubbwiki.com/article/view/16/issues-with-suhosin.html\" target=\"_blank\">UBB.Wiki: Issues with suhosin</a>; this issue pertains to the settings of the suhosin module with your webhost.  Your current suhousin length is: ". ini_get("suhosin.get.max_value_length") .".";
	} else {
		$suhosin = "";
	}
}

So the way I read it , it only reads
suhosin.get.max_value_length.
if it is less than or equal to 2048 show a warning( add it to $suhosin).
If it is greater than 2048 then the $suhosin value is null.

Now I see Giz has a new enhanced release for this check.

But at ubb I think jake's issue was well founded.
probably the host removed suhosin as was quoted.

I guess I need to build a sandbox with a shared host account for 7.5.9 and +.

I've been hard at work on the Suhosin detection and a Suhosin Information display which will give the user data on what setting is recommended, what settings are being used, and what the default data is.

Data for recommendations is utilized as referenced from PHPMyAdmin's doc's (I had to reference a big project).

A bug was also discovered with my initial check and will be updated in the next version (I used equal to or less than, rather than less than, in my test code and didn't get it updated).

If your webhost is running the recommended settings and you're still seeing the warning, you can fix this by editing admin/login.php
Find:

Code

// suhosin Check by VNC Web Services (http://www.virtualnightclub.net/)
if(extension_loaded("suhosin") && ini_get("suhosin.get.max_value_length")) {
	if(ini_get("suhosin.get.max_value_length") <= 2048) {
		$suhosin = "You may experience issues with a blank configuration file if you continue, please see <a href=\"http://www.ubbwiki.com/article/view/16/issues-with-suhosin.html\" target=\"_blank\">UBB.Wiki: Issues with suhosin</a>; this issue pertains to the settings of the suhosin module with your webhost.  Your current suhousin length is: ". ini_get("suhosin.get.max_value_length") .".";
	} else {
		$suhosin = "";
	}
}

Replace With

Code

// suhosin Check by VNC Web Services (http://www.virtualnightclub.net/)
if(extension_loaded("suhosin") && ini_get("suhosin.get.max_value_length")) {
	if(ini_get("suhosin.get.max_value_length") < 2048) {
		$suhosintxt = "You may experience issues with a blank configuration file if you continue. Please see \"<a href=\"http://www.ubbwiki.com/article/view/16/issues-with-suhosin.html\" target=\"_blank\">UBB.Wiki: Issues With Suhosin</a>\". This issue pertains to the settings of the suhosin module with your webhost.";
		$suhosinsize = ini_get("suhosin.get.max_value_length") ;
	} else {
		$suhosintxt = "";
		$suhosinsize = "";
	}
}

The new check that I'm working on will check the following settings:

Quote

suhosin.get.max_value_length < 1024
suhosin.request.max_vars < 2048
suhosin.post.max_vars < 2048

Versus:

Quote

suhosin.get.max_value_length < 2048

For users with Suhosin installed, if you'd be interested in testing the new Suhosin check/info center PLEASE send me a PT or an email james[at]virtualnightclub[dot]net and I'll give you the latest set of coding (you must be running 7.5.8+ in order to use the new code).

Yeah, as noted in my OP, the check has an error, the equal can be removed in the check.

The check in a future build is enhanced and has a statistics page; you can test it from here. Once testing is done this archive will be removed.

Note that only users who have Suhosin installed need to test the checker; I've tested it all I can with dummy data.

Screen shots would be most appreciated of your display of the Suhosin Information page.

Well My suhosin value length is only 512.
I tried the fix you posted above in the 2nd post even though it is only 512 and the message does not appear at all now.

It all looks correct unless there is some phantom cr/lf in the code.

Anyway I will try your new enhanced version next.

Hey Ruben; could I convince you to give me FTP access to your site to test this? I can only get so far without having suhosin installed on my server...

Otay!
I did muddyup the login.php file a bit.
I have not tried your new enhanced version.
Check your pm

Ok, will try to get a look at it tonight, if not (just found out I have to do a presentation for Trey's school) definitely tomorrow.

Ok, well, one, I love your password... Two, I've installed the full Suhosin script and found a few buggies.

As for your issue, I see you're well under the recommended values; go ahead and login to your forum and click the "Suhosin" link that now displays and let me know if anything is awry.

BTW, with the new version, it'll ALWAYS show the warning IF:
suhosin.get.max_value_length < 1024
suhosin.request.max_vars < 2048
suhosin.post.max_vars < 2048

The higher number is good...

My wife hates that password I have several similar to that.

looks okay.
But I have some questions/concerns.
First the message is the only indication on how to find the statistics.
And the hyperlink is only obvious when you hover over it.
Might be hard for people to find it.

Second on the statistics page I think it is a little busy with three columns.
Why not just display current and recommended?

Also maybe the colors should be different.
So they reflect a change is needed.
For example
Suhosin Status is green for default then red for current then green again for recommended. HUH???. I mean if suhosin is not installed we should not even be here. But why is it green on the default column and most of the others are red on the default column.

Now since my values are set below all the thresholds.
I don't know what is displayed when say some are met.
But I think the colors should indicate a needs attention like green for good and red for fail.

Anyway for a plus.
I think you went well above and beyond with the documentation and help guides for reference. A very nice touch for people that don't know what each value is for.

Originally Posted by Ruben Rocha

First the message is the only indication on how to find the statistics.
And the hyperlink is only obvious when you hover over it.
Might be hard for people to find it.

Well, if it's not ON you don't need to get to the statistics page... In fact, if it's not on the statistics page is pretty blank (see below). The link will stand out a lot more once the new CP is done.

Originally Posted by Ruben Rocha

Second on the statistics page I think it is a little busy with three columns.
Why not just display current and recommended?

IMHO, a recommendation and default column are required as this page is meant so that one can alert their host and show the extreme differences in what the default vs recommended value are.

Originally Posted by Ruben Rocha

Also maybe the colors should be different.
So they reflect a change is needed.
For example
Suhosin Status is green for default then red for current then green again for recommended. HUH???. I mean if suhosin is not installed we should not even be here. But why is it green on the default column and most of the others are red on the default column.

Green is commonly good, red is commonly bad, blue is commonly neutral; I really fail to see how it's hard to understand... The colors vary based on what values are where (in fact, so does some of the page text as well). They also will be a lot easier to identify with the new Control Panel changes.

Originally Posted by Ruben Rocha

Now since my values are set below all the thresholds.
I don't know what is displayed when say some are met.
But I think the colors should indicate a needs attention like green for good and red for fail.

as they do; there are three photos attached, one from your site Suhosin on with default vars (7.5.9), one with the Suhosin override on which shows a-ok as far as settings go (pay no attention to the ui of the two images, lol), and one showing what it'd look like disabled.

Description: Suhosin displaying that the module is loaded with default settings.

Description: Suhosin displaying test code showing populated fields with "good" data.

Description: Suhosin displaying that it is disabled.

whatever, I still tend to disagree.
But anyway your second attachment which is supposed to be good values.
Shows suhosin disabled and all the values as unset?????
What the hell does unset mean?

... Values are set, "unset" means they haven't set a value... The key here is that these are settings you report to your host.

Like I said, my server doesn't have Suhosin installed, so test code just tries to load the variables, and as they aren't configured they aren't set; hence "unset". Generally you'd only have one or two of these that'd be unset, the only reason ALL of mine are unset is because the test code is enabled and it's populating the field with the current settings of the server.

I still fail to see whats wrong with "Good" (green), "Bad" (red), "Ignore" (blue).

Okay,maybe I will play with the settings to see what happens when they pass.
I just think it is to busy and should just have current and recommended only.
then maybe the colors will be okay for me
You already have urls for each setting that goes to suhosin.org which the details show the defaults.

Chill out just my 2 cents.

I'm really against removing the defaults column, if there are issues with a setting it provides more info to your host (who users will generally be reporting to) about the very small default values; these checks are generally for servers who just installed the module for security and didn't really configure it.

I pretty much designed this system for the admin to screen shot it and provide it to the host, as your host generally wouldn't have admin access to the UBB control panel. Thus, the links to the descriptions of everything wouldn't be passed along with a screenshot. The links are there so the admin can go and see what each variable is for, basically to enhance your argument that the setting should be increased.

The "unset"/blue wording will be very rare to see, outside of test code as when the module is installed via apt/yum or even compiling it manually, it should insert default values for these items.

And no need to "chill out", I'm perfectly fine; I'm just trying to provide details as a knowledgeable person who worked helpdesk and server administration for a webhost for 9 years; what is displayed there is the data I'd want to see vs being bombarded with links to various config options on a site vs just having the data displayed for me would make me want to go and look into the issue...

Okay I just modded one value so it would pass and it looks okay.
current is green and recommended is green.

My opinion would be to make the default column a static normal color , not green,red or blue.
If you want to keep it there.

Making the color red on the default column just makes you think something is wrong with it. When you compare it to the other columns.

Still a great mod, Even if you ignore me.

FYI,
I have 4 sites with the same host same plan and I never have had issues with the config file.
But we need to start somewhere to nail it down for the users.

Okay I looked at this a little more.
Then I suggest a legend for the colors.
And reading your statement

Quote

I'm just trying to provide details as a knowledgeable person who worked helpdesk and server administration for a webhost for 9 years; what is displayed there is the data I'd want to see vs being bombarded with links to various config options on a site vs just having the data displayed for me

For the average Joe dealing with a help desk.
You could get fancy and add a option to email the info to the host. Such as a email button or a text only screen that they can copy and place in a email to the support desk
Due to they probably don't know what most of it means anyway.