Suhosin: The Invisible Hand Of PHP
Out Of Date Warning
Languages change. Perspectives are different. Ideas move on. This article was published on November 18, 2009 which is more than two years ago. It may be out of date. You should verify that technical information in this article is still current before relying upon it for your own purposes.
- Avoiding Notices: When to Use isset() and empty()
- Configuring PHP: Essential INI Settings
- Accessing Databases with PDO: A Primer
- To The New PHP Programmers…
- How To Write A Function In PHP
- Five Cool PHP Array Functions
- Micro Optimizations That Don’t Matter
- Adapting The Joel Test To Web Development
- Exceptional PHP: Introduction to Exceptions
- Suhosin: The Invisible Hand Of PHP
- Why You Should Replace ENUM With Something Else
Last week, I received an email from someone who told me how the Suhosin patch had created problems for their team, and suggested that I write about it here. I thought this was a great idea, for a number of reasons. Particularly, Suhosin is one of those PHP patches that alters the way PHP operates in a fundamental fashion, yet also is installed by default in many places (for example, Ubuntu compiles this patch in by default on their installation).
For starters, what is Suhosin? Suhosin is a PHP patch that “hardens” PHP’s security features. The makers of Suhosin describe it in this way:
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
So how does Suhosin affect you? Suhosin can affect you because it fundamentally alters the way PHP operates. Here are some of the features and “gotchas” that you should watch out for:
Allows the disabling of eval()
If your application uses eval() for any reason, and you deploy it to a remote server hosted by someone else, there’s a chance that they may have disabled eval() which would break your application.
I have no intention of defending eval(); I don’t use it, and I’m not going to make statements on whether or not you should. However, if you have a legitimate use, you must be careful to make sure that eval() is not disabled.
Disallowing of Remote URL Inclusion
While this is generally a poor programming practice to begin with, Suhosin disables your ability to include remote URLs. For exmaple:
<?php require 'http://www.anothersite.com/';
This will fail with Suhosin installed and activated. While this is a horribly dangerous programming practice in the first place (you should use file_get_contents() instead), it might generate problems for your application if you are unaware that Suhosin is installed.
Changes scripts ability to modify the memory_limit
Occasionally, on the fly, I’ve changed the memory limit on one script (a cron job, for example) in order to prevent the script from failing. This value can be set throughout PHP; however, Suhosin changes this behavior and does not allow you to change the memory limit on the fly. This can create problems if you expect/need the memory limit to be alterable.
Allows limits on length of REQUEST arrays
If you have a particularly long form, you may run into this problem: Suhosin allows you to limit the length of the REQUEST array, thus limiting how long your form is. While you may never run into this, you should be aware of the possibility that Suhosin might be responsible for this.
Super-long arrays can create problems in PHP, and attackers might attempt to add millions of form fields with the hopes of generating an error or somehow affecting your application. While this protection can be good, you should be aware of its ability to adjust and affect your application as well.
So is Suhosin bad?
Absolutely not. Suhosin does a number of good things, and helps prevent against a number of possible attacks and vulnerabilities in PHP. That being said, Suhosin is not a replacement for good coding practices. Its installation on major servers is largely due to the fact that server owners wish to configure components of PHP that are not otherwise configurable due to the way PHP is configured. It is therefore their right to install this patch and configure it any way they like.
Suhosin is by no means a requirement for PHP development. You can, and should, learn the PHP best practices so that patches like Suhosin are merely an aid, not a crutch. Still, because Suhosin is installed by default as a part of many PHP installations (this server uses Suhosin), you should be aware of it’s ability to act as a little bit of an “invisible hand” throughout the PHP world, guiding your security choices before you even have the chance to make them.
How do I make sure my application is compatible with Suhosin if I’m going to use it?
Suhosin includes a compatability mode called suhosin.simulation. This will log, but not block, the execution of things that Suhosin finds objectionable. You can use this mode to determine whether or not Suhosin works for your application and what restrictions will affect you.
Chances are good that if you’re running up against Suhosin problems, you should seriously reconsider what it is that you’re doing and see whether or not it’s worthwhile or a good programming practice. Suhosin isn’t perfect, but you should take its warnings seriously.