How to override suhosin max value?

tim picture tim · Oct 4, 2012 · Viewed 10.6k times · Source

An important GET param is being filtered by suhosin. How do I override suhosin when the following does not work?

public_html/php.ini :

[suhosin]
suhosin.get.max_value_length = 2048

Sets suhosin.get.max_value_length among others to NULL and crashes user session.

-

public_html/.htaccess :

<IfModule mod_php5.c>
    php_value suhosin.get.max_value_length 2048
</IfModule>

No effect

-

(System default is set to:)

suhosin.get.max_value_length = 512
suhosin.get.max_value_length = 100000

The GET parameter being filtered is 576 chars long.

Answer

tim picture tim · Oct 4, 2012

We can bypass suhosin by re-building the $_GET

// Override suhosin $_GET limitation
  $_GET = array();
  $params = explode('&', $_SERVER['QUERY_STRING']);
  foreach ($params as $pair) {
    list($key, $value) = explode('=', $pair);
    $_GET[urldecode($key)] = urldecode($value);
  }