In an effort to tighten up security and protect our (and by association, your) servers from malicious attacks, we will be hardening our PHP installations with the excellent Suhosin project. Depending on your coding practices, this may or may not affect you. The most common "gotcha" is when you include other files using relative paths. For example:require('../../classes/SomeClass.php');Suhosin will not accept this because it's too easy to exploit. Instead, you need to be explicit:
require($_SERVER['DOCUMENT_ROOT'] . '/classes/SomeClass.php');The DOCUMENT_ROOT element of the $_SERVER global array will always point to the full path of your website's root. (eg. /home/user/Websites/mywebsite.com).
Please ensure you comply with this more secure style of including files.
2 comments:
Dang, that's going to be a lot of work to update. :( When does this take effect?
We'll start in simulation mode to see the entire scope of what will be affected. We can also allow a certain number of relative path (eg. 2 would allow for ../../something but not ../../../something). How many levels are you using?
Post a Comment