People, thanks for your comments – take me different view points. Specially for Stefan Esser – really helpful post, every point have explanations.

With one or both parts of Suhosin beginning to be included by default in webserver installations, having the “symptoms” highlighted to the unaware developer seems to me to have merit.

In most, if not all, cases where Suhosin acts against a request, it will display an error in the error log, allowing you to see what its doing, so you can decide whether to turn off a feature.

You’ve got to consider, however, the security of code you don’t manage as well. Wordpress seems to have people finding new ways to upload remote code and inject every month, so one of the things I’ve done is specifically for that Wordpress vhost, turn on:

suhosin.executor.include.allow_writable_files

and now if someone somehow manages to upload a file, it can’t be included.

sorry but your blog posting about Suhosin is simply “wrong”.

First of all Suhosin is a 2 part system. That means there is a patch and an extension that can be used alone or together. The difference is that the patch implements low level security while the extension implements high level security.

That said in most cases only the suhosin patch is activated by default which adds protections around PHP internal functions. Aside from patches to how realpath works (which is no longer needed and done for PHP >= 5.3.0) there is no influence on PHP scripts. If PHP scripts break with only Suhosin patch applied this means they ultimatively suck, because they trigger memory corruption problems within PHP. If these scripts work with standard PHP and do not crash then you are simply lucky. The right way here would be to track down the memory corruption inside PHP and fix it.

So all the features you discuss are within the Suhosin extension that is NOT installed by default in many places.

a) disable eval – well honestly I have never seen a system in the wild that makes use of this features and the documentation clearly states that enabling this feature will break apps

b) every application relying on remote URL inclusion is insecure. Beside the fact that remote URL inclusion are not allowed in PHP 5.2.0 and greater anyway. So if you want your application to work with new PHP you have to fix that anyway.

c) memory_limit – compatible applications always had to take care of activated safe_mode which also disallows changing the memory_limit. Beside the fact that suhosin does NOT disallow changing the memory_limit. It allows the admin to set a second HARD memory_limit that he does not want to see violated. So you can change memory_limit as long you do not try to overrun the hard memory_limit

d) limit on request – yes indeed this feature causes problems with many things. But that is just because admins just install suhosin and believe they do not need to configure it. Security out of the box. But this is like installing a fresh Fedora installation and then crying because you cannot access the webserver because the firewall blocks all incoming ports by default.