Author Topic: suhosin  (Read 3084 times)

Offline Schmatze

  • Jr. Member
  • **
  • Posts: 31
suhosin
« on: February 16, 2011, 11:01:44 AM »
Just a simple question: Why must suhosin.session.encrypt be disabled?

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,597
    • http://SKaero.com/
suhosin
« Reply #1 on: February 16, 2011, 11:10:57 AM »
Because RoundCube uses a custom session handler.

Offline Schmatze

  • Jr. Member
  • **
  • Posts: 31
suhosin
« Reply #2 on: February 18, 2011, 07:13:30 AM »
Ok, so I have disabled suhosin.session.encrypt with the .htaccess file, but the bin/update-sh script tells me that this is still enabled. The apache mod php5 is loaded. I'm using the new Debian Squeeze.

Offline alec

  • Hero Member
  • *****
  • Posts: 1,174
suhosin
« Reply #3 on: February 18, 2011, 07:35:28 AM »
update.sh is a CLI script and doesn't uses Apache nor .htaccess

Offline Schmatze

  • Jr. Member
  • **
  • Posts: 31
suhosin
« Reply #4 on: February 18, 2011, 09:14:19 AM »
So that means update.sh isn't right?

Offline nerbrume

  • Jr. Member
  • **
  • Posts: 11
suhosin
« Reply #5 on: October 25, 2011, 03:43:51 PM »
I'm having the same problem, upgrading from 0.5 to 0.6
The installto.sh does not work, arguing that suhosin.session.encrypt is incorectly set. It is however correctly set in the .htaccess of both the 0.5 and 0.6 roundcube folders. But it is on in my /etc/php5/apache2/conf.d/suhosin.ini file (debian squeeze), something I want to keep that way.
I guess the script relies on reading the global config file, rather than the .htaccess. I've tried to bypass that check, but did not found it in installto.sh
Any idea ?

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,597
    • http://SKaero.com/
suhosin
« Reply #6 on: October 25, 2011, 07:07:02 PM »
You can't disable suhosin.session.encrypt in the .htaccess on most systems, you can check by doing a phpinfo(); check in the directory. You maybe able to disable it in a php.ini file instead.

Offline nerbrume

  • Jr. Member
  • **
  • Posts: 11
suhosin
« Reply #7 on: October 26, 2011, 04:01:07 AM »
Yep, indeed, the .htaccess does not work as expected. Changing the value of suhosin.session.encrypt in /etc/php5/apache2/conf.d/suhosin.ini works. But it's system-wide, not very convenient.
Out of curiosity, if I :
- comment out the requirement for suhosin.session.encrypt in roundcube/program/include/iniset.php
- and keep "suhosin.session.encrypt on" in suhosin.ini (system-wide)
everything works! Is roundcube using it's own session handler in this case ? How could I check it ?

Offline nerbrume

  • Jr. Member
  • **
  • Posts: 11
suhosin
« Reply #8 on: October 26, 2011, 04:01:41 AM »
Yep, indeed, the .htaccess does not work as expected. Changing the value of suhosin.session.encrypt in /etc/php5/apache2/conf.d/suhosin.ini works. But it's system-wide, not very convenient.
Out of curiosity, if I :
- comment out the requirement for suhosin.session.encrypt in roundcube/program/include/iniset.php
- and keep "suhosin.session.encrypt on" in suhosin.ini (system-wide)
everything works! Is roundcube using it's own session handler in this case ? How could I check it ?