Hi Dne Wed, 07 Apr 2010 12:41:42 +0200 Olaf van der Spek <o...@xwis.net> napsal(a):
> On 7-4-2010 10:25, Thijs Kinkhorst wrote: > >> In that case, shouldn't Suhosin be disabled by default? > > > > I don't think so. PHP in Debian is of wider use than phpMyAdmin alone, so > > if phpMyAdmin has issues with Suhosin it doesn't naturally follow that all > > of Suhosin should be disabled. There are many PHP applications both inside > > and outside of Debian, web application security has a significant impact > > on the web today and having Suhosin by default can provide a positive > > contribution to web application security. > > I don't have experience with Suhosin, but it sounds a bit like AV > software (on Windows): work arounds, not solutions. Well there are definitely good things in Suhosin, but I don't see much benefits on limits on number of variables or their length. > > As for the impact of Suhosin on phpMyAdmin performance, this is limited to > > only certain operations, most notably when working with large tables that > > have no primary key. I have not encountered any problems myself when > > working with phpMyAdmin in different contexts all running with Suhosin. > > Isn't it possible to detect and disable those operations in pMA when > Suhosin is enabled? It could be probably implemented by combination of PHP and client side javascript code (you need to validate forms before submitting whether they don't reach some of configured limits), but nobody invested his time into this so far. Patches are of course welcome. > > Finally, it's possible to change the specific Suhosin settings that > > phpMyAdmin has a problem with. So it's definately not needed to remove or > > disable Suhosin to be able to work with phpMyAdmin. > > I know, I just think this warning isn't right either. What kind of warning would be better? > > Michal, perhaps the phpMyAdmin FAQ item that the warning refers to can be > > augumented with which parameters to change? The documentation is now updated to mention some more sensible settings for phpMyAdmin: http://demo.phpmyadmin.net/trunk-config/Documentation.html#faq1_38 -- Michal Čihař | http://cihar.com | http://blog.cihar.com
signature.asc
Description: PGP signature
