The Service Provider Retrix Hosting

October 10, 2008

Introducing Suhosin

Suhosin In an effort to tighten up security and protect our (and by association, your) servers from malicious attacks, we will be hardening our PHP installations with the excellent Suhosin project. Depending on your coding practices, this may or may not affect you. The most common "gotcha" is when you include other files using relative paths. For example:

require('../../classes/SomeClass.php');

Suhosin will not accept this because it's too easy to exploit. Instead, you need to be explicit:

require($_SERVER['DOCUMENT_ROOT'] . '/classes/SomeClass.php');

The DOCUMENT_ROOT element of the $_SERVER global array will always point to the full path of your website's root. (eg. /home/user/Websites/mywebsite.com).

Please ensure you comply with this more secure style of including files.

2 comments:

Luke said...

Dang, that's going to be a lot of work to update. :( When does this take effect?

pgib said...

We'll start in simulation mode to see the entire scope of what will be affected. We can also allow a certain number of relative path (eg. 2 would allow for ../../something but not ../../../something). How many levels are you using?