Author Topic: RoundCube and Suhosin  (Read 9011 times)

Offline j0t

  • Newbie
  • *
  • Posts: 5
RoundCube and Suhosin
« on: August 17, 2008, 12:59:08 PM »
Hi all!

Has anybody tried the suhosin patch and extension for PHP? It has some interesting features for hardening PHP, but unfortunately it breaks RoundCube. If I open RoundCube, nothing shows up, and in the logfile I find these warnings:

Code: [Select]
[17-Aug-2008 18:50:26] PHP Warning:  fopen() has been disabled for security reasons in /home/j0t/voyager.j0t.it/webmail/program/include/rcube_template.php on line 494

Is it possible to adjust RoundCube in a way so that suhosin will not complain?

Thanks.

Offline bpat1434

  • Administrator
  • Hero Member
  • *****
  • Posts: 673
RoundCube and Suhosin
« Reply #1 on: August 17, 2008, 04:01:57 PM »
Probably not.  But at the same time, Suhosin disables some things that aren't really huge security holes as long as your code is good.  Like fopen.  You could try file_get_contents() instead of fopen, but I'm not 100% sure that would work.
 
  

Offline j0t

  • Newbie
  • *
  • Posts: 5
RoundCube and Suhosin
« Reply #2 on: August 17, 2008, 09:25:20 PM »
Quote from: bpat1434;13343
Probably not.  But at the same time, Suhosin disables some things that aren't really huge security holes as long as your code is good.

The thing is, not always code is well-written. Kernel and security apps' holes demonstrate that even the most skilled programmer makes mistakes that can have a bad outcome on security. Unless, of course, you only run apps written by DJB :)

Every bit of paranoia put into preventing security breaches on production servers is well put, I think. Unless, of course, it prevents you from using worthy software like roundcube. But before quitting using the patch I wanted to ask if there was any chance of getting suhosin and roundcube working together.

Quote from: bpat1434;13343
You could try file_get_contents() instead of fopen, but I'm not 100% sure that would work.

That doesn't work either.

Offline yourregistrationisbroken

  • Jr. Member
  • **
  • Posts: 10
RoundCube and Suhosin
« Reply #3 on: August 19, 2008, 04:27:52 PM »
Quote from: j0t;13342
Hi all!

Has anybody tried the suhosin patch and extension for PHP? It has some interesting features for hardening PHP, but unfortunately it breaks RoundCube.


I have suhosin working with php 5.2.5 with no noticeable issues.  I can login, and check mail, double click to read mail, I have not tried sending yet though.

PHP Version 5.2.5

This server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project

Offline yourregistrationisbroken

  • Jr. Member
  • **
  • Posts: 10
RoundCube and Suhosin
« Reply #4 on: August 19, 2008, 04:49:07 PM »
Actually, this sounds like a regular PHP ini restriction

disable_functions =fopen

You can check the list of functions that your host has disabled in a phpinfo page (unless they've disabled phpinfo as well :o)

Offline j0t

  • Newbie
  • *
  • Posts: 5
RoundCube and Suhosin
« Reply #5 on: August 19, 2008, 04:53:09 PM »
Quote from: yourregistrationisbroken;13382
I have suhosin working with php 5.2.5 with no noticeable issues.  I can login, and check mail, double click to read mail, I have not tried sending yet though.

PHP Version 5.2.5

This server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project

You're using Suhosin *patch* but not the extension that comes together with the patch. Suhosin documentation says:
Quote
Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.


Quote from: yourregistrationisbroken;13383
Actually, this sounds like a regular PHP ini restriction

disable_functions =fopen

You can check the list of functions that your host has disabled in a phpinfo page (unless they've disabled phpinfo as well :o)

It is not, I can assure you. I disable suhosin *extension* and roundcube started working again.

Offline yourregistrationisbroken

  • Jr. Member
  • **
  • Posts: 10
RoundCube and Suhosin
« Reply #6 on: August 19, 2008, 05:58:18 PM »
Using the extension too

This server is protected with the Suhosin Extension 0.9.23


if I disable the function fopen in /etc/php.ini I get the exact same error as you describe.  I get no such errors if I enable/disable the suhosin extension and I don't see any settings for suhosin to block fopen.

So, you can keep looking at suhosin, but it works fine for me.

Offline j0t

  • Newbie
  • *
  • Posts: 5
RoundCube and Suhosin
« Reply #7 on: August 19, 2008, 06:17:24 PM »
Quote from: yourregistrationisbroken;13385
Using the extension too

This server is protected with the Suhosin Extension 0.9.23


if I disable the function fopen in /etc/php.ini I get the exact same error as you describe.  I get no such errors if I enable/disable the suhosin extension and I don't see any settings for suhosin to block fopen.

So, you can keep looking at suhosin, but it works fine for me.

I *swear* the only occurrence of the "fopen" string in my php.ini is the following
Code: [Select]
suhosin.executor.eval.blacklist = "exec,system,passthru,shell_exec,fopen,file_get_contents,file_put_contents,tmpnam"

Which has of course nothing to do with blocking the function itself, instead blocking usage of fopen when called through eval. However, commenting out the line results in an usable roundcube installation. Could it be that fopen is called through eval in rcube_template.php? Or is it a suhosin bug?

Offline yourregistrationisbroken

  • Jr. Member
  • **
  • Posts: 10
RoundCube and Suhosin
« Reply #8 on: August 19, 2008, 06:18:23 PM »
It seems that I can duplicate the behavior of the php function disallow feature with suhosin's func blacklist

suhosin.executor.func.blacklist = fopen


For me, it's in /etc/php.d/Z98_suhosin.ini

This is different from the eval blacklist feature.

Offline yourregistrationisbroken

  • Jr. Member
  • **
  • Posts: 10
RoundCube and Suhosin
« Reply #9 on: August 19, 2008, 06:20:14 PM »
eval blacklist and func blacklist behave the same way on my setup, at least with respect to this RC setup.  I haven't tried anything else

:(

Offline yourregistrationisbroken

  • Jr. Member
  • **
  • Posts: 10
RoundCube and Suhosin
« Reply #10 on: August 19, 2008, 06:24:51 PM »
Ahah, it seems that this xml_command function is being called as one of the arguments to preg_replace.  There's got to be a better way.


program/include/rcube_template.php 450

    private function parse_xml($input)
    {
        return preg_replace('/]+)>/Uie', "\$this->xml_command('\\1', '\\2')", $input);


This is probably why suhosin is triggering the eval blacklist

Offline j0t

  • Newbie
  • *
  • Posts: 5
RoundCube and Suhosin
« Reply #11 on: August 19, 2008, 06:26:43 PM »
Quote from: yourregistrationisbroken;13389
Ahah, it seems that this xml_command function is being called as one of the arguments to preg_replace.  There's got to be a better way.


program/include/rcube_template.php 450

    private function parse_xml($input)
    {
        return preg_replace('/]+)>/Uie', "\$this->xml_command('\\1', '\\2')", $input);


This is probably why suhosin is triggering the eval blacklist

Bingo!

And I agree with you, there's got to be a better way...

Offline yourregistrationisbroken

  • Jr. Member
  • **
  • Posts: 10
RoundCube and Suhosin
« Reply #12 on: August 19, 2008, 06:45:08 PM »
Okay, i have a crummy patch... it adds a function called "xml_command_callback" and re-organizes the $matches from preg into the regular function signature of "xml_command", then just passes along the values.

The parse_xml function now uses "preg_replace_callback" instead of "preg_replace" with the /e modifier.  Even with the extra function call this should be faster, as "preg_replace_callback" is touted as being much faster than preg_repalce with the /e modifier.*

* http://www.php.net/manual/en/function.preg-replace-callback.php#65182

patch with

cd roundcube/program/include/
patch -p3 --dry-run < quick_fix_suhosin_preg_rcub_template.diff
[if no errors]
patch -p3 < quick_fix_suhosin_preg_rcub_template.diff

Ticket for patch: http://trac.roundcube.net/ticket/1485286
« Last Edit: August 19, 2008, 07:52:42 PM by yourregistrationisbroken »