Skip to content

Commit 12f2ce4

Browse files
befbef
committed
more suhosin config checks
1 parent d9c055f commit 12f2ce4

File tree

1 file changed

+74
-0
lines changed

1 file changed

+74
-0
lines changed

phpconfigcheck.php

+74
Original file line numberDiff line numberDiff line change
@@ -280,6 +280,10 @@ function is_writable_or_chmodable($fn)
280280
'suhosin.*.max_value_length=default' => "The default value set as maximum length for each variable may be too small for some applications.",
281281
'suhosin.*.disallow_ws' => "Unless your application needs variable names to start with whitespace, please consider turning this option on.",
282282
'suhosin.*.max_name_length=off' => "The variable name length should be limited. Please set an appropriate value, e.g. 64.",
283+
'suhosin.*.max_array_depth=off' => "The array depth should be limited to avoid denial of service. A reasonable value is 50.",
284+
'suhosin.*.max_array_index_length=off' => "The array index length should be limited to avoid denial of s ervice. The default value of 64 is recommended.",
285+
'suhosin.*.max_totalname_length=off' => "The variable name length should be limited to a reasonable value, e.g. 256.",
286+
'suhosin.*.max_vars=off' => "The number of user supplied input variables should be limited. Reasonable values depend on your application and may go up to 100 or 1000.",
283287
'suhosin.log.script.name' => "An attacker may try to inject code into the logging script. Better change file permissions to read-only access.",
284288
'suhosin.log.script.name/chmod' => "The logging script is not set writable, but the current user has the right to change the access permission. Please change the file's owner."
285289
);
@@ -747,6 +751,76 @@ function is_writable_or_chmodable($fn)
747751
$recommendation = $helptext['suhosin.*.max_name_length=off'];
748752
}
749753
break;
754+
case 'suhosin.request.max_array_depth':
755+
if (intval($v) == 0 &&
756+
(intval(ini_get('suhosin.get.max_array_depth')) == 0 ||
757+
intval(ini_get('suhosin.post.max_array_depth')) == 0 ||
758+
intval(ini_get('suhosin.cookie.max_array_depth')) == 0)) {
759+
list($result, $reason) = array(TEST_MEDIUM, "array depth not limited.");
760+
$recommendation = $helptext['suhosin.*.max_array_depth=off'];
761+
}
762+
break;
763+
case 'suhosin.get.max_array_depth':
764+
case 'suhosin.post.max_array_depth':
765+
case 'suhosin.cookie.max_array_depth':
766+
if (intval($v) == 0 && intval(ini_get('suhosin.request.max_array_depth')) == 0) {
767+
list($result, $reason) = array(TEST_MEDIUM, "array depth not limited.");
768+
$recommendation = $helptext['suhosin.*.max_array_depth=off'];
769+
}
770+
break;
771+
case 'suhosin.request.max_array_index_length':
772+
if (intval($v) == 0 &&
773+
(intval(ini_get('suhosin.get.max_array_index_length')) == 0 ||
774+
intval(ini_get('suhosin.post.max_array_index_length')) == 0 ||
775+
intval(ini_get('suhosin.cookie.max_array_index_length')) == 0)) {
776+
list($result, $reason) = array(TEST_MEDIUM, "array index length not limited.");
777+
$recommendation = $helptext['suhosin.*.max_array_index_length=off'];
778+
}
779+
break;
780+
case 'suhosin.get.max_array_index_length':
781+
case 'suhosin.post.max_array_index_length':
782+
case 'suhosin.cookie.max_array_index_length':
783+
if (intval($v) == 0 && intval(ini_get('suhosin.request.max_array_index_length')) == 0) {
784+
list($result, $reason) = array(TEST_MEDIUM, "array index length not limited.");
785+
$recommendation = $helptext['suhosin.*.max_array_index_length=off'];
786+
}
787+
break;
788+
case 'suhosin.request.max_totalname_length':
789+
if (intval($v) == 0 &&
790+
(intval(ini_get('suhosin.get.max_totalname_length')) == 0 ||
791+
intval(ini_get('suhosin.post.max_totalname_length')) == 0 ||
792+
intval(ini_get('suhosin.cookie.max_totalname_length')) == 0)) {
793+
list($result, $reason) = array(TEST_MEDIUM, "variable name length not limited.");
794+
$recommendation = $helptext['suhosin.*.max_totalname_length=off'];
795+
}
796+
break;
797+
case 'suhosin.get.max_totalname_length':
798+
case 'suhosin.post.max_totalname_length':
799+
case 'suhosin.cookie.max_totalname_length':
800+
if (intval($v) == 0 && intval(ini_get('suhosin.request.max_totalname_length')) == 0) {
801+
list($result, $reason) = array(TEST_MEDIUM, "variable name length not limited.");
802+
$recommendation = $helptext['suhosin.*.max_totalname_length=off'];
803+
}
804+
break;
805+
case 'suhosin.request.max_vars':
806+
if (intval($v) == 0 &&
807+
(intval(ini_get('suhosin.get.max_vars')) == 0 ||
808+
intval(ini_get('suhosin.post.max_vars')) == 0 ||
809+
intval(ini_get('suhosin.cookie.max_vars')) == 0)) {
810+
list($result, $reason) = array(TEST_HIGH, "number of request varialbes not limited.");
811+
$recommendation = $helptext['suhosin.*.max_vars=off'];
812+
}
813+
break;
814+
case 'suhosin.get.max_vars':
815+
case 'suhosin.post.max_vars':
816+
case 'suhosin.cookie.max_vars':
817+
if (intval($v) == 0 && intval(ini_get('suhosin.request.max_vars')) == 0) {
818+
list($result, $reason) = array(TEST_MEDIUM, "number of variables not limited.");
819+
$recommendation = $helptext['suhosin.*.max_vars=off'];
820+
}
821+
break;
822+
823+
750824
case 'suhosin.log.script.name':
751825
case 'suhosin.log.phpscript.name':
752826
if ($v !== "") {

0 commit comments

Comments
 (0)