SMF Development > Bug Reports
[4244]SMF 2.0 RC3 - Obfuscation of session variable name breaks integration
MultiformeIngegno:
NAO YOU DESERVE A STATUE!!!
They've disabled the patch and everything works flawlessly!!!!!!!!!
P.S.: Now let's leave in peace the poor Nao ( :P ) and let's ask the other devs: we've discovered the problem, and insured it's not a SMF problem.. anyway is there a way to "avoid" this? Maybe a workaround that applies if SMF detects you have that configuration.. Are there many server with that patch installed?
Nao 尚:
--- Quote from: MultiformeIngegno on June 14, 2010, 05:35:09 AM ---OK man... you're right (as always). Also with SMF 2.0 RC2 it doesn't work.
--- End quote ---
You..........should have tried that......earlier......... :o
It would have saved me several hours of comparing RC2 and RC3 code last week...
--- Quote ---I've opened a ticket, hopefully they'll disable the patch or.. don't know.. they're always kind! :)
--- End quote ---
Just ask them to disable the two variables I mentioned. *Or* to tell you how to disable them via php.ini or .htaccess, because normally, their access level SHOULD allow you to disable them, but I tried and tried, and it never worked.
Nao 尚:
--- Quote from: MultiformeIngegno on June 14, 2010, 06:17:39 AM ---NAO YOU DESERVE A STATUE!!!
--- End quote ---
Lulz!!1
--- Quote ---They've disabled the patch and everything works flawlessly!!!!!!!!!
--- End quote ---
Just the two variables, or the entire Suhosin?
--- Quote ---P.S.: Now let's leave in peace the poor Nao ( :P ) and let's ask the other devs: we've discovered the problem, and insured it's not a SMF problem.. anyway is there a way to "avoid" this? Maybe a workaround that applies if SMF detects you have that configuration.. Are there many server with that patch installed?
--- End quote ---
Yes, Suhosin is pretty popular in the shared hosting world I believe. It's a way of closing some potential PHP holes I believe.
As for the cryptdocroot variable, I have no idea whether it's enabled by default or not.
The only way to fix it through SMF is to ini_set the two variables to Off. I've tested this on my server (which doesn't have them) and it didn't generate any issue, so it should be safe enough. As for security, I don't think disabling it would cause any trouble. Maybe disable them only if the loadSession() variable is called through SSI.php...? That may be a good solution, although not perfect (because with some code hacking, subdomains can be used on any SMF page, see noisen.com, so that wouldn't help SMF in case we implement the feature into v2.1 or v3.0.)
MultiformeIngegno:
--- Quote from: Nao on June 14, 2010, 07:24:15 AM ---
--- Quote ---They've disabled the patch and everything works flawlessly!!!!!!!!!
--- End quote ---
Just the two variables, or the entire Suhosin?
--- End quote ---
--- Quote ---Hello Lorenzo,
Sorry to hear about this. The SuHosin configuration we were running was the default one, however we hadn't realised that the default configuration could cause this kind of problem.
We've gone ahead and disabled suhosin.session.cryptdocroot and suhosin.cookie.cryptdocroot now (as can be seen under the "suhosin" heading of this phpinfo() page: http://devotedhosting.com/phpInfo1492.php )
Hopefully this problem should now be resolved (Googling this issue does show a few people having a similar problem with subdomain script linking, when this setting is on). Please let us know if you need any other settings changed however :)
Many thanks!
--- End quote ---
Nao 尚:
Good, good. BTW, googling devotedhosting brings me to a SMF beta tester's signature... So I can only guess they were indeed eager to help ;)
The bad news is that the setting is On by default, then. And if everything's the default setting, then it can't be turned off by SMF either. Maybe this will need a mention in an FAQ or something.
Norv, you're the assignee for the bug report -- how would you like us to deal with it?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version