PHP 5.6 with empty POST array about suhosin HOT 7 CLOSED

@stefanesser

from suhosin.

With a[]=&a[]=on the resulting $_POST['a'] should be array('', 'on'). The test case passes successfully with both PHP 5.5.30 and 5.6.16.

The various disallow_nul options make sure, that strings do not contain the NUL-byte (\0).

from suhosin.

It's very strange. After I update my server from PHP 5.5 to 5.6, Suhosin should be updated too, but ini configs are kept. After update, all my applications that uses forms like that starts to fail. In case, I could check that the problem was that, and after I disabled Suhosin, it's back to normal.

Another possibility is that my Suhosin is outdated (compared to github version). It's possible? In some moment, there are some issue like that?

Lastly, can you just try it (locally)?

<form action="" method="post">
    <input type="text" name="user[]" />
    <input type="text" name="user[]" />
    <input type="text" name="content[]" />
    <input type="text" name="content[]" value="ok" />
</form>

It should returns something like:

$_POST['user'] = ['', ''];
$_POST['content'] = ['', 'ok'];

In last case, I'll try do it on a virtual machine based on my server settings -- it'll be hard, so, I need do it only in last case.

Thanks a lot!

from suhosin.

With Suhosin 0.9.38 on Debain/Apache2 it shows (correctly):

array(2) {
  ["user"]=>
  array(2) {
    [0]=>
    string(0) ""
    [1]=>
    string(0) ""
  }
  ["content"]=>
  array(2) {
    [0]=>
    string(0) ""
    [1]=>
    string(2) "ok"
  }
}

Please try to enable logging and see if any suhosin rule is altering the requets:

suhosin.log.file=255
suhosin.log.file.name=/tmp/suhosin-debug.log

from suhosin.

@bef I do your test and it is the results:

Test code:

<?php
    var_dump($_POST);
?>
<form method="post" action="">
    <input type="text" name="a[]" value="" />
    <input type="text" name="a[]" value="test" />
    <input type="submit" />
</form>

Without suhosin:

array(1) { ["a"]=> array(2) { [0]=> string(0) "" [1]=> string(4) "test" } }

With suhosin:

array(1) { ["a"]=> array(1) { [0]=> string(4) "test" } }

Suhosin log:

Nov 30 02:49:32 [8449] ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'a[]'
Nov 30 02:49:32 [8449] ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE)

Suhosin version: 0.9.36
PHP version: 5.6.15

I tried to add the suhosin.request.disallow_nul=Off and seems that it worked.

suhosin.cookie.disallow_nul=Off
suhosin.get.disallow_nul=Off
suhosin.post.disallow_nul=Off
suhosin.request.disallow_nul=Off ; this

The question now is: should it be default?

from suhosin.

The current version of Suhosin is 0.9.38 not 0.9.36 - what you describe is a known bug occurring in an older version of Suhosin.

from suhosin.

Well, I fixed it with this last settings, but is important test on 0.9.38 too without it. I'll search about how to update suhosin and I return to this topic. Thanks a lot!

from suhosin.