Last modified: 2013-01-09 11:15:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T45738, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 43738 - update.php: suhosin alert in line 546 when the memory_limit is disabled
update.php: suhosin alert in line 546 when the memory_limit is disabled
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
Maintenance scripts (Other open bugs)
1.21.x
All All
: Low normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-08 15:44 UTC by T. Gries
Modified: 2013-01-09 11:15 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description T. Gries 2013-01-08 15:44:52 UTC 
When your php has Suhosin support, php update.php throws this message

suhosin[29923]: ALERT - script tried to disable memory_limit by setting it to a negative value -1 bytes which is not allowed (attacker 'REMOTE_ADDR not set', file '/srv/www-ssl/htdocs/phase3/maintenance/Maintenance.php', line 546)
Comment 1 Bawolff (Brian Wolff) 2013-01-08 15:48:23 UTC 
(In reply to comment #0)
> When your php has Suhosin support, php update.php throws this message
> 
> suhosin[29923]: ALERT - script tried to disable memory_limit by setting it
> to a
> negative value -1 bytes which is not allowed (attacker 'REMOTE_ADDR not set',
> file '/srv/www-ssl/htdocs/phase3/maintenance/Maintenance.php', line 546)

I doubt there's much we can do about this. We have legitimate reasons for disabling the memory limit here.

Does this just give an alert, or does it also prevent the script from executing? Perhaps we could set the limit to a couple gigabytes instead or something.
Comment 2 T. Gries 2013-01-08 16:05:30 UTC 
Brian, it's only an alert, the script runs - at least what I can see in the console. I just want to inform everyone about this behaviour (not everyone runs Suhosin).

I suppose however, that Suhosin effectively prevents the update,php from actually increasing the memory, so update,php _may_ fail because of exhausted memory. "I am not an expert in this field, only the reporter."

If you want me to test something, let me know.
Comment 3 Bawolff (Brian Wolff) 2013-01-08 16:24:03 UTC 
>Brian, it's only an alert, the script runs - at least what I can see in the
>console. I just want to inform everyone about this behaviour (not everyone runs
>Suhosin).

I was just checking from a "how critical is this" perspective. The warning isn't great, but not as bad as if this prevent the script from running.
Comment 4 Bawolff (Brian Wolff) 2013-01-08 16:26:00 UTC 
btw, changing components, since this is something that gets done for all maintenance scripts, not just the updater.
Comment 5 Max Semenik 2013-01-09 11:15:19 UTC 
Disable this check for command-line PHP: http://www.hardened-php.net/suhosin/configuration.html#suhosin.memory_limit

Working around it is not possible because some command-line scripts have a valid reason to demand a lot of memory, and not requesting it would mean that they will fail.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links