suhosin.executor.eval.blacklist sometimes applied erroneously
#82
Comments
|
Can you provide an example blacklist and php-script for us to recreate the issue? |
|
Something as simple as this works when the bug is triggered: The million-dollar question is, how does one get the bug to trigger? That I haven't figured out quite yet, and frankly, I'm not sure I ever will. To my eyes at this stage, it truly does appear to be totally random. |
|
Just out of curiosity. Are you running OPCache or any other zend extension ? |
|
I'm running OPcache, yep. That's my only zend_extension. |
|
Can you reproduce this random wrongful behavior if OPcache it is not enabled ? My guess is that OPcache could cache function calls and if one function is suddenly blocked by Suhosin in eval mode, then that very same function would be blocked for every mode due to OPcache caching such result. This is a long shot and more research is necessary as I haven't poked around OPcache code yet. |
|
An excellent theory, but alas, it didn't check out. With two simple test scripts, one calling a blacklisted function with eval, one calling it without, the one without continued to function after the blacklist was triggered. I'll try running without OPcache for a few days and report back. |
|
Maybe related, but we are seeing some false positives as well, for example: Line 830: The getStateCookie function indeed does use base64_decode, but there is no eval used in there. |
blackwind
changed the title
suhosin.executor.eval.blacklist sometimes applied erroneously
On PHP v5.6.7, I'm finding Suhosin v0.9.37.1 sometimes decides to disable the functions provided in suhosin.executor.eval.blacklist when NOT in an eval context. When this occurs, these functions remain disabled indefinitely until PHP-FPM is restarted. Thus far, I've been unable to find any method to the madness -- one second my scripts work, and the next, they don't. Thoughts?
The text was updated successfully, but these errors were encountered: