For the Hardenend-PHP versions with Suhosin extension,
I wrote a tiny extension https://www.mediawiki.org/wiki/Extension:Suhosin which is easier to link into LocalSettings for those who need it.
Basically, after some checks, it sets $wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));
Please check that version for unintended side-effects, I hope there are none. Tom
[1] https://www.mediawiki.org/wiki/Extension:Suhosin [2] https://www.mediawiki.org/wiki/Manual:Suhosin_%28Hardened-PHP_Project_patch_...
On Thu, Feb 16, 2012 at 3:54 PM, Thomas Gries mail@tgries.de wrote:
Basically, after some checks, it sets $wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));
That doesn't look right. http://www.hardened-php.net/suhosin/configuration.html#suhosin.get.max_name_...
suhosin.get.max_name_length defaults to 64 because that is only testing the length of a single key in the URL.
There doesn't appear to be a straightforward mapping between Suhosin config and $wgResourceLoaderMaxQueryLength.
For example, this calculation appears to produce the maximum query string length (including the ?). suhosin.get.max_vars * (suhosin.get.max_totalname_length + suhosin.get.max_value_length + 1) + suhosin.get.max_vars
However, all likely occurrences of query strings at that length will fail the Suhosin filters (because there will be many more, smaller keys/values).
In any case, 64 as a limit for $wgResourceLoaderMaxQueryLength seems much to small.
~Rusty
Am 17.02.2012 01:38, schrieb Rusty Burchfield:
On Thu, Feb 16, 2012 at 3:54 PM, Thomas Gries mail@tgries.de wrote:
Basically, after some checks, it sets $wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));
I corrected that already, it must be suhosin.get.max_value_length .
On Thu, Feb 16, 2012 at 4:41 PM, Thomas Gries mail@tgries.de wrote:
Am 17.02.2012 01:38, schrieb Rusty Burchfield:
On Thu, Feb 16, 2012 at 3:54 PM, Thomas Gries mail@tgries.de wrote:
Basically, after some checks, it sets $wgResourceLoaderMaxQueryLength=min($wgResourceLoaderMaxQueryLength,ini_get("suhosin.get.max_name_length"));
I corrected that already, it must be suhosin.get.max_value_length .
I don't believe that is correct either.
This is what "name" and "value" represent to Suhosin. http://example.com/?name1=value1&name2=value2
In this example, both values are 6 characters long, and the entire query string is 26 characters.
ResourceLoader uses many names and values in each URL. As long as individual names and values are under the configured limits, the URL is OK. However, $wgResourceLoaderMaxQueryLength limits the *total* length of *all* names and values.
~Rusty
Hello, the extension has been also published with the intention that those who feel competent improve it.
Regarding my extension for dynamic adaption of
$wgResourceLoaderMaxQueryLength in accordance to current suhosin parameter in php.ini
it is correct to assume such a format
http://example.com/?name1=value1&name2=value2&name3=value3
i.e. $wgResourceLoaderMaxQueryLength = the max. total length of query stream =
( (max. length of names) + (max. length of values) + 2 ) * ( max. number of name/value pairs )
Rusty wrote $wgResourceLoaderMaxQueryLength limits the *total* length of *all* names and values.
Can you confirm ?
On Sat, Feb 18, 2012 at 10:12 AM, Thomas Gries mail@tgries.de wrote:
Can you confirm ?
I think the real problem is that $wgResourceLoaderMaxQueryLength is insufficient for the configuration you desire. It only loosely correlates with the problem it seems intended to resolve.
Assuming both the number of key/value pairs and the length of each key resource loader uses is bounded and small, a new configuration variable to control the maximum value length would be useful for your purposes.
~Rusty
wikitech-l@lists.wikimedia.org