How do I set suhosin.request.max_* with .htaccess? Only suhosin.post.max_* work

.htaccess suhosin
mitai picture mitai · May 28, 2012 · Viewed 7k times · Source

I've set suhosin.perdir = 'p' in my ini file. I would now like to change suhosin ini settings on a per-folder basis.

The following all work (running phpinfo() inside the desired folder shows the changed values):

php_value suhosin.post.max_array_depth 100
php_value suhosin.post.max_array_index_length 128
php_value suhosin.post.max_name_length 128
php_value suhosin.post.max_value_length 2000000
php_value suhosin.post.max_totalname_length 512
php_value suhosin.post.max_vars 1000

But when I also add the .request settings (which I understand are an upper limit for the .post settings), they do not change:

php_value suhosin.request.max_array_depth 100
php_value suhosin.request.max_array_index_length 128
php_value suhosin.request.max_name_length 128
php_value suhosin.request.max_value_length  2000000
php_value suhosin.request.max_totalname_length 512
php_value suhosin.request.max_vars 1000

screenshot for phpinfo

Do you have any idea if there is anything else I have to check/setup? Am I forgetting someting?

Thank you! Matei

Answer

Sergi picture Sergi · May 28, 2012

Ok, I've finally found the solution. I was going to download the Suhosin code to take a look when I found this post, explaining that the perdir "p" directive only affects to the post variables:

/* no deactivation so check the flags */
while (*tmp) {
    switch (*tmp) {
        case 'l':
        case 'L':
            SUHOSIN_G(log_perdir) = 1;
            break;
        case 'e':
        case 'E':
            SUHOSIN_G(exec_perdir) = 1;
            break;
        case 'g':
        case 'G':
            SUHOSIN_G(get_perdir) = 1;
            break;
        case 'c':
        case 'C':
            SUHOSIN_G(cookie_perdir) = 1;
            break;
        case 'p':
        case 'P':
            SUHOSIN_G(post_perdir) = 1;
            break;
        case 'r':
        case 'R':
            SUHOSIN_G(request_perdir) = 1;
            break;
        case 's':
        case 'S':
            SUHOSIN_G(sql_perdir) = 1;
            break;
        case 'u':
        case 'U':
            SUHOSIN_G(upload_perdir) = 1;
            break;
        case 'm':
        case 'M':
            SUHOSIN_G(misc_perdir) = 1;
            break;
    }
    tmp++;
}

If you want perdir options both per post and request, you need to edit your php.ini

suhosin.perdir=pr

or .htaccess

php_value suhosin.perdir pr

so the value for perdir is pr

Related questions

Access-Control-Allow-Origin Multiple Origin Domains?

Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header? I'm aware of the *, but it is too open. I really want to allow just a couple domains. As an example, something like this: Access-Control-Allow-Origin: http://domain1.example, …

Read More
How to redirect all HTTP requests to HTTPS

I'm trying to redirect all insecure HTTP requests on my site (e.g. http://www.example.com) to HTTPS (https://www.example.com). I'm using PHP btw. Can I do this in .htaccess?

Read More
htaccess redirect to https://www

I have the following htaccess code: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond !{HTTPS} off RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </…

Read More