Tuesday, 6 March 2007

Suhosin Extension 0.9.17 Released

Stefan Esser, in a post over the PHP Security blog, informs you about the release of Suhosin Extension 0.9.1.7. He furthers tells you that this release is in response to a bug report by Ilia Alshanetsky and some crash problems with PHP4.

He says the problem found by Ilia, is a trivial way to bypass the hard_memory_limit of Suhosin due to a bug in PHP. Suhosin unlike PHP allows the admin to set an unchangeable memory_limit for PHP scripts that is an upper limit for calls to ini_set, he explains.

But unfortunately PHP contains a bug that it does not correctly handle negative memory_limits, he initiates. Instead of not accepting them it silently casts them to an unchanged integer, which results in a memory_limit above 2 GB. Suhosin 0.9.17 did not catch this bug and therefore allows bypassing the hard memory limit with a call like the following:

ini_set("memory_limit","-10000);