[Bug 291551] New: after PHP5 Update to 5.2.0-16 no more Session
https://bugzilla.novell.com/show_bug.cgi?id=291551 Summary: after PHP5 Update to 5.2.0-16 no more Session Product: openSUSE 10.2 Version: Final Platform: 32bit OS/Version: openSUSE 10.2 Status: NEW Severity: Critical Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: novell-web@zmi.at QAContact: qa@suse.de Found By: Customer After the last Update, we had the problem that a specific application did not work anymore. After several hours of debugging, we found *) the session is lost after the script was running. Sessions are set via cookies, but after the script calls the next script, all cookies are empty. *) making this work again via patching the script and submitting the session id via a hidden form variable to the next script (thus having to set session.use_only_cookies=0 which is not good for security), there's the next problem that not all form variables are submitted. For example, the "submit" button variable is not set anymore. *) the former error only happens when there's lot of POST variables, although we have post_max_size = 30M We've tested downgrading to 5.2.0-10 from the openSUSE 10.2 DVD, everything works again. We've had 5.2.0-14 before the update to 5.2.0-16, and this worked too. It's just the latest version showing this error. Please, urgently fix this, or tell us a workaround. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=291551
Ales Nosek
https://bugzilla.novell.com/show_bug.cgi?id=291551#c2
Cristian Rodriguez
https://bugzilla.novell.com/show_bug.cgi?id=291551#c3
--- Comment #3 from Cristian Rodriguez
https://bugzilla.novell.com/show_bug.cgi?id=291551#c4
--- Comment #4 from Michael Monnerie
https://bugzilla.novell.com/show_bug.cgi?id=291551#c5
Michal Marek
*) the session is lost after the script was running. Sessions are set via cookies, but after the script calls the next script, all cookies are empty.
You mean that the browser doesn't set the id back. How to the Set-Cookie headers (if any) look like? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c6
Michal Marek
https://bugzilla.novell.com/show_bug.cgi?id=291551#c7
--- Comment #7 from Cristian Rodriguez
https://bugzilla.novell.com/show_bug.cgi?id=291551#c8
Michal Marek
We found the problem:
The *-16 update has a dependency to automatically install the "suhosin" patch from the hardened PHP project
Strange, the only patch that refers to the suhosin package is patch-apache2-mod_php5-3289.xml. Which is 5.2.0-14. 5.2.0-16 is patch-php5-3745.xml: $ grep -c suhosin patch-php5-3745.xml 0 Marcus, any idea? :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c9
--- Comment #9 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=291551#c10
--- Comment #10 from Cristian Rodriguez
https://bugzilla.novell.com/show_bug.cgi?id=291551#c11
--- Comment #11 from Ales Nosek
You should have perhaps left out the Recommends.
But that "Recommends: php5-suhosin" was already in 5.2.0-14 spec file and even also in earlier versions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c12
--- Comment #12 from Cristian Rodriguez
But that "Recommends: php5-suhosin" was already in 5.2.0-14 spec file and even also in earlier versions.
As expected , as it has always worked fine, and the defaults are suited for most applications as well but manybe setting this filter a bit higher in the next release will not harm either. ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c13
--- Comment #13 from Ales Nosek
https://bugzilla.novell.com/show_bug.cgi?id=291551#c14
--- Comment #14 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=291551#c16
--- Comment #16 from Michael Monnerie
https://bugzilla.novell.com/show_bug.cgi?id=291551#c17
--- Comment #17 from Michael Monnerie
https://bugzilla.novell.com/show_bug.cgi?id=291551#c18
--- Comment #18 from Cristian Rodriguez
https://bugzilla.novell.com/show_bug.cgi?id=291551#c19
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=291551#c20
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=291551#c21
--- Comment #21 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=291551#c22
--- Comment #22 from Cristian Rodriguez
Adding YaST people to CC. It's unspecified whether YOU (or maybe package updates in general) needs to honor and resolve Recommends. This case demonstrates that it better should not.
of course it should not ;)
We could re-release php for 10.2 immediately without suhosin to avoid more people falling into the trap over the weekend.
That will only hide the actual problem, I dont think that is good idea, the spec file is perfectly valid in this case :-( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c23
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=291551#c24
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=291551#c25
--- Comment #25 from Cristian Rodriguez
if it's considered harmful.
Is considered harmful on this edge case that the user was exposing, only insane applications submits more than 200 variables at the same time , the limit is actually quite high. a GET request that hits this limit will look like this : http://novell.com/1=1&2=2&3=3&4=4&5=5&6=6&7=7&8=8&9=9&10=10&11=11&12=12&13=13 &14=14&15=15&16=16&17=17&18=18&19=19&20=20&21=21&22=22&23=23&24=24&25=25&26=26 &27=27&28=28&29=29&30=30&31=31&32=32&33=33&34=34&35=35&36=36&37=37&38=38&39=39 &40=40&41=41&42=42&43=43&44=44&45=45&46=46&47=47&48=48&49=49&50=50&51=51&52=52 &53=53&54=54&55=55&56=56&57=57&58=58&59=59&60=60&61=61&62=62&63=63&64=64&65=65 &66=66&67=67&68=68&69=69&70=70&71=71&72=72&73=73&74=74&75=75&76=76&77=77&78=78 &79=79&80=80&81=81&82=82&83=83&84=84&85=85&86=86&87=87&88=88&89=89&90=90&91=91 &92=92&93=93&94=94&95=95&96=96&97=97&98=98&99=99&100=100&101=101&102=102&103=103 &104=104&105=105&106=106&107=107&108=108&109=109&110=110&111=111&112=112&113=113 &114=114&115=115&116=116&117=117&118=118&119=119&120=120&121=121&122=122&123=123 &124=124&125=125&126=126&127=127&128=128&129=129&130=130&131=131&132=132&133=133 &134=134&135=135&136=136&137=137&138=138&139=139&140=140&141=141&142=142&143=143 &144=144&145=145&146=146&147=147&148=148&149=149&150=150&151=151&152=152&153=153 &154=154&155=155&156=156&157=157&158=158&159=159&160=160&161=161&162=162&163=163 &164=164&165=165&166=166&167=167&168=168&169=169&170=170&171=171&172=172&173=173 &174=174&175=175&176=176&177=177&178=178&179=179&180=180&181=181&182=182 &183=183&184=184&185=185&186=186&187=187&188=188&189=189&190=190&191=191 &192=192&193=193&194=194&195=195&196=196&197=197&198=198&199=199&200=200 &201=201 not much common right ? ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c26
Ales Nosek
If you install php but don't ever want it's recommended packages then you need to lock them.
If I remove the package I would not expect that it appears again in my system. The only exception would be if the package became a new dependency of some installed one. But this happens very rarely. I find it annoying to have to lock all the recommended packages which I don't want to install. How many they could be? I think removing the packages should be enough. Anyway, I submitted php5-10.2 with suhosin moved from Recommends to Suggests into /work/src/done/10.2/php5 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c27
--- Comment #27 from Cristian Rodriguez
schubi and ma disagree that the current solver behavior of adding recommends in YOU should be changed.
Can someone elaborate why this is supposed to be the correct behaviuor ??(yes I know it may be "expected") it looks plain wrong from any side I can see it..sorry.. maybe my concept about what's a patch is is flawed.. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=291551#c28
Ludwig Nussel
participants (1)
-
bugzilla_noreply@novell.com