Suhosin Blocking Post Replies

[NerdUno]

We're having problems with threads that have even moderately long message subjects. The symptom is that users can't post replies to the original post. Does anyone know what suhosin setting needs to be changed?? This is a shared server, and we don't have control of it so we can't just disable suhosin.

Replies to a thread with the following title work fine:

http://pbxinaflash.com/community/index.php?threads/test-message-with-20-and-plus-10-and-5-p.12589/

Adding one more character to the title keeps everybody from being able to post a reply:

http://pbxinaflash.com/community/index.php?threads/test-message-with-20-and-plus-10-and-5-pl.12589/

Thanks.

 

[Slavik]

If you cant edit the suhosin.get.max_value_length = value, unfortunately your options are limited to

a) Create an addon to limit the max title length
b) Move to a different host.
c) Live with it.

 

[NerdUno]

Thanks. We can get the settings adjusted. What should the suhosin.get.max_value_length value be??

 

[NerdUno]

@Brogan: Through trial-and-error, we've resolved the problem. Suffice it to say, suhosin is now an integral part of most hosted servers. And XenForo runs primarily on hosted servers. Since it won't run with the default suhosin settings, perhaps the developers should consider adding a little documentation that at least explains the minimum suhosin setup to get a properly functioning system.

 

[TPerry]

@Brogan: Through trial-and-error, we've resolved the problem. Suffice it to say, suhosin is now an integral part of most hosted servers. And XenForo runs primarily on hosted servers. Since it won't run with the default suhosin settings, perhaps the developers should consider adding a little documentation that at least explains the minimum suhosin setup to get a properly functioning system.

If they are current on their PHP implementation then suhosin is not a factor - considering that it's not supported under 5.4.x >.

 

[NerdUno]

For those in a shared hosting environment, I'm not sure I'd be crowing about the lack of suhosin support in php 5.4. Some (who haven't forgotten the PHP security woes of old) might call it downright stupid.

 

[TPerry]

For those in a shared hosting environment, I'm not sure I'd be crowing about the lack of suhosin support in php 5.4. Some (who haven't forgotten the PHP security woes of old) might call it downright stupid.

Point being... that those "shared hosting" need to get with the times. 5.2.x has been EOL for a while. 5.3.x is coming up on EOL. Guess they still are running Debian 4/5, or CentOS 2.1/3, or any of those other EOL flavors of Linux.

 

[NerdUno]

RedHat Enterprise 6.4 is hardly an EOL flavor of Linux.

 

[TPerry]

RedHat Enterprise 6.4 is hardly an EOL flavor of Linux.

My point being exactly that... they will run the later versions of the OS, but can't be troubled to use the newer version of PHP that are not EOL or have security problems.
That's a major problem with HostGator (and why I left them). They are defaulted to a 5.2.x install, and offer the OPTION via .htaccess of 5.3.x. But you are STILL at the mercy of those others that use 5.2.x and the problems associated with it.
The sarcasm didn't carry over that I was trying to get across... being that if they can't be troubled to run the latter versions of PHP, then why should they be troubled to run the latter versions of the OS.

 

[Biker]

For those in a shared hosting environment, I'm not sure I'd be crowing about the lack of suhosin support in php 5.4. Some (who haven't forgotten the PHP security woes of old) might call it downright stupid.

There hasn't been any development on suhosin in over a year. The general feeling is suhosin is a dead project due to internal politics between the devs of PHP and suhosin. I wouldn't plan on seeing any changes being made to XenForo to be compatible with a dead project.

 

[NerdUno]

Tracy, RedHat's decision not to deploy PHP 5.4 had nothing to do with being lazy. Let's get back to the point of the thread, shall we?? XenForo needs to document the necessary settings for suhosin in order to get XenForo to perform properly. For those that want to play with PHP 5.4 in their sandbox without suhosin support, good for you. The point remains that many of XenForo's PAID CUSTOMERS depend upon PHP 5.3 with suhosin, and we need documentation on how to properly run the application. Nobody's asking for the XenForo folks to change anything. Just document what it needs in order to work!

 

[Biker]

The change needs to come from those who have a dependency on suhosin. It's dead. There's been nary a peep from the developer in over a year. None. Nada. Zilch. And he refuses to allow anyone else to take the project.

 

[NerdUno]

Nobody has asked for a change in XenForo! The request is for configuration information needed by XenForo to function properly, e.g. the scope of get, post, and request variables. Do these work? If not, what does? Don't really care about the PHP and suhosin politics. The point was that most shared servers use PHP 5.3 WITH suhosin today! We need to know how to properly configure it. Simple as that.

suhosin.filter.action = 406
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 350
suhosin.get.max_totalname_length = 512
suhosin.get.max_value_length = 2048
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 256
suhosin.post.max_totalname_length = 8192
suhosin.post.max_value_length = 65000
suhosin.post.max_vars = 4096
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 256
suhosin.request.max_totalname_length = 8192
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 8000
suhosin.request.max_varname_length = 350
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 350
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 65000
suhosin.post.max_vars = 8000
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 8000
suhosin.request.max_varname_length = 350
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
suhosin.session.max_id_length = 128