1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suhosin Blocking Post Replies

Discussion in 'Troubleshooting and Problems' started by NerdUno, May 24, 2013.

  1. NerdUno

    NerdUno Member

    We're having problems with threads that have even moderately long message subjects. The symptom is that users can't post replies to the original post. Does anyone know what suhosin setting needs to be changed?? This is a shared server, and we don't have control of it so we can't just disable suhosin.

    Replies to a thread with the following title work fine:

    Code:
    http://pbxinaflash.com/community/index.php?threads/test-message-with-20-and-plus-10-and-5-p.12589/
    Adding one more character to the title keeps everybody from being able to post a reply:

    Code:
    http://pbxinaflash.com/community/index.php?threads/test-message-with-20-and-plus-10-and-5-pl.12589/
    Thanks.
     
  2. Slavik

    Slavik XenForo Moderator Staff Member

    If you cant edit the suhosin.get.max_value_length = value, unfortunately your options are limited to

    a) Create an addon to limit the max title length
    b) Move to a different host.
    c) Live with it.
     
  3. NerdUno

    NerdUno Member

    Thanks. We can get the settings adjusted. What should the suhosin.get.max_value_length value be??
     
  4. NerdUno

    NerdUno Member

    @Brogan: Through trial-and-error, we've resolved the problem. Suffice it to say, suhosin is now an integral part of most hosted servers. And XenForo runs primarily on hosted servers. Since it won't run with the default suhosin settings, perhaps the developers should consider adding a little documentation that at least explains the minimum suhosin setup to get a properly functioning system. :eek:
     
  5. Tracy Perry

    Tracy Perry Well-Known Member

    If they are current on their PHP implementation then suhosin is not a factor - considering that it's not supported under 5.4.x >.
     
  6. NerdUno

    NerdUno Member

    For those in a shared hosting environment, I'm not sure I'd be crowing about the lack of suhosin support in php 5.4. Some (who haven't forgotten the PHP security woes of old) might call it downright stupid. :rolleyes:
     
  7. Tracy Perry

    Tracy Perry Well-Known Member

    Point being... that those "shared hosting" need to get with the times. 5.2.x has been EOL for a while. 5.3.x is coming up on EOL. Guess they still are running Debian 4/5, or CentOS 2.1/3, or any of those other EOL flavors of Linux.
     
  8. NerdUno

    NerdUno Member

    RedHat Enterprise 6.4 is hardly an EOL flavor of Linux.
     
  9. Tracy Perry

    Tracy Perry Well-Known Member

    My point being exactly that... they will run the later versions of the OS, but can't be troubled to use the newer version of PHP that are not EOL or have security problems.
    That's a major problem with HostGator (and why I left them). They are defaulted to a 5.2.x install, and offer the OPTION via .htaccess of 5.3.x. But you are STILL at the mercy of those others that use 5.2.x and the problems associated with it.
    The sarcasm didn't carry over that I was trying to get across... being that if they can't be troubled to run the latter versions of PHP, then why should they be troubled to run the latter versions of the OS.
     
  10. Biker

    Biker Well-Known Member

    There hasn't been any development on suhosin in over a year. The general feeling is suhosin is a dead project due to internal politics between the devs of PHP and suhosin. I wouldn't plan on seeing any changes being made to XenForo to be compatible with a dead project.
     
  11. NerdUno

    NerdUno Member

    Tracy, RedHat's decision not to deploy PHP 5.4 had nothing to do with being lazy. Let's get back to the point of the thread, shall we?? XenForo needs to document the necessary settings for suhosin in order to get XenForo to perform properly. For those that want to play with PHP 5.4 in their sandbox without suhosin support, good for you. The point remains that many of XenForo's PAID CUSTOMERS depend upon PHP 5.3 with suhosin, and we need documentation on how to properly run the application. Nobody's asking for the XenForo folks to change anything. Just document what it needs in order to work!
     
  12. Biker

    Biker Well-Known Member

    The change needs to come from those who have a dependency on suhosin. It's dead. There's been nary a peep from the developer in over a year. None. Nada. Zilch. And he refuses to allow anyone else to take the project.
     
  13. NerdUno

    NerdUno Member

    Nobody has asked for a change in XenForo! The request is for configuration information needed by XenForo to function properly, e.g. the scope of get, post, and request variables. Do these work? If not, what does? Don't really care about the PHP and suhosin politics. The point was that most shared servers use PHP 5.3 WITH suhosin today! We need to know how to properly configure it. Simple as that.

    Code:
    suhosin.filter.action = 406
    suhosin.cookie.max_array_depth = 100
    suhosin.cookie.max_array_index_length = 64
    suhosin.cookie.max_name_length = 64
    suhosin.cookie.max_totalname_length = 256
    suhosin.cookie.max_value_length = 10000
    suhosin.cookie.max_vars = 100
    suhosin.cookie.disallow_nul = On
    suhosin.get.max_array_depth = 50
    suhosin.get.max_array_index_length = 64
    suhosin.get.max_name_length = 350
    suhosin.get.max_totalname_length = 512
    suhosin.get.max_value_length = 2048
    suhosin.get.max_vars = 100
    suhosin.get.disallow_nul = On
    suhosin.post.max_array_depth = 100
    suhosin.post.max_array_index_length = 256
    suhosin.post.max_totalname_length = 8192
    suhosin.post.max_value_length = 65000
    suhosin.post.max_vars = 4096
    suhosin.post.disallow_nul = On
    suhosin.request.max_array_depth = 100
    suhosin.request.max_array_index_length = 256
    suhosin.request.max_totalname_length = 8192
    suhosin.request.max_value_length = 65000
    suhosin.request.max_vars = 8000
    suhosin.request.max_varname_length = 350
    suhosin.request.disallow_nul = On
    suhosin.upload.max_uploads = 25
    suhosin.upload.disallow_elf = On
    suhosin.cookie.disallow_nul = On
    suhosin.get.max_array_depth = 50
    suhosin.get.max_array_index_length = 64
    suhosin.get.max_name_length = 350
    suhosin.get.max_totalname_length = 256
    suhosin.get.max_value_length = 512
    suhosin.get.max_vars = 100
    suhosin.get.disallow_nul = On
    suhosin.post.max_array_depth = 100
    suhosin.post.max_array_index_length = 64
    suhosin.post.max_totalname_length = 256
    suhosin.post.max_value_length = 65000
    suhosin.post.max_vars = 8000
    suhosin.post.disallow_nul = On
    suhosin.request.max_array_depth = 100
    suhosin.request.max_array_index_length = 64
    suhosin.request.max_totalname_length = 256
    suhosin.request.max_value_length = 65000
    suhosin.request.max_vars = 8000
    suhosin.request.max_varname_length = 350
    suhosin.request.disallow_nul = On
    suhosin.upload.max_uploads = 25
    suhosin.upload.disallow_elf = On
    suhosin.upload.disallow_binary = Off
    suhosin.upload.remove_binary = Off
    suhosin.session.max_id_length = 128
     

Share This Page