5

I'm running PHP5.6 on ubuntu12.04 as apache 2.4 module Suhosin is installed from sources

Suhosin is enabled and I can see it in phpinfo() function output. I have these lines in the suhosin.ini:

suhosin.executor.disable_eval = On
suhosin.executor.disable_emodifier = On

And I can also see them enabled in phpinfo(). Both globally and locally.

But for some reason simple 

eval('echo 5;');

just shows me the damn “5”!!!

Same does

preg_replace("/.*/e", "eval('echo 5, PHP_EOL;')", ".");

How do I enable that suhosin?

Konstantin Bodnia
  • 1,372
  • 3
  • 20
  • 43

1 Answers1

1

You have to check both local and master values in your phpinfo() for the lines suhosin.executor.disable_eval and suhosin.executor.disable_emodifier in order to be sure that the configuraton file is read correctly, and not only for the activation of suhosin.

The local value of those directive should be set to 'On'.

If the local is Off but the master is On, then your virtualhost configuration might override this parameter. If both are Off, then you're suhosin.ini is not parsed correctly

You also have to chech that suhosin.simulation (debug mode) is set to Off.

Adam
  • 17,838
  • 32
  • 54
  • As I mentioned in my original post I checked the values with phpinfo() and they both were set to “On”. – Konstantin Bodnia Mar 16 '15 at 10:55
  • You only mentionned that you could see that suhosin was enabled, not that "**local** values" of configuration parameters were both set to "On" (and not only the "master value") when you do a phpinfo(). If such is the case, you should edit your question to make it really clear. Thanks for your feedback. – Adam Mar 16 '15 at 12:10
  • @KonstantinBodnya Still waiting for your feedback, please confirm, that your **local** values are set to 'On' in your phpinfo() – Adam Mar 22 '15 at 07:38
  • Yes. Of course they are both set to “On” globally and locally. – Konstantin Bodnia Mar 22 '15 at 19:39
  • I'm glad, i had nothing more left to say ;-) – Adam Mar 23 '15 at 12:57