hitechdk Posted November 14, 2014 Share Posted November 14, 2014 Yesterday my host upgraded to PHP 5.6.x (with SUHOSIN) and all of a sudden some of the functionality in the backend stopped working (and the same thing can also be present ind the frontend) After spending some hours investigation i found out that it was the test for empty POST variables that stopped working (function Tools::isSubmit) The default admin theme (PS 1.6) has more than 100 entries of the form: <button type="submit" ...> I made a small script to test if the bug is present: <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { if (isset($_POST['emptypostvalue'])) { echo "Empty POST variable received. Not hit by bug."; die; } else { print "<pre>"; echo "Empty POST variable not received. Your system is affected. "; print "Raw post data content: "; print $data; print " \$_POST content: "; var_dump($_POST); print "</pre>"; die; } } ?> Are you hit by the PHP 5.6.x / SUHOSIN empty POST value bug? <form method="POST" action="test-empty-post-bug.php"> <input type="hidden" name="postvalue" value="1"> <button type="submit" name="emptypostvalue"> Test now </button> </form> Link to comment Share on other sites More sharing options...
tuk66 Posted November 14, 2014 Share Posted November 14, 2014 Yes, it seems like PHP 5.6 with SUHOSIN is very dangerous combination. I would leave SUHOSIN first. Link to comment Share on other sites More sharing options...
hitechdk Posted November 14, 2014 Author Share Posted November 14, 2014 Luckily my webhoster "anknowledged" the problem and turned of Suhosin for their PHP 5.6 servers. This seems to have fixed the problem for now. Link to comment Share on other sites More sharing options...
anpori Posted October 30, 2015 Share Posted October 30, 2015 Hello everyone... we were able to fix this issue while keeping php 5.6 and suhosin giving us the extra layer of protection What we did was to configure suhosin to accept NULL-ASCII variables by adding the following to the suhosin configuration [suhosin] suhosin.cookie.disallow_nul = Off suhosin.get.disallow_nul = Off suhosin.post.disallow_nul = Off suhosin.request.disallow_nul = Off Regards, Andres You can read more on the suhosin configuration from this link https://suhosin.org/stories/configuration.html specifically the quoted section below suhosin.request.array_index_whitelist Type: String Default: Example: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" Defines a character whitelist for array indices allowed in user input. Note: This setting deactivates suhosin.request.array_index_blacklist. Link to comment Share on other sites More sharing options...
robdido Posted March 12, 2016 Share Posted March 12, 2016 I can confirm that it is suhosin that is the problem. Dont' forget to put the semi colons like I did 4 days ago and bang my head against the wall trying to figure out a solution. as said above you need to update php.ini and add the following lines suhosin.get.max_vars = 10000;suhosin.post.max_vars = 10000;suhosin.cookie.disallow_nul = Off;suhosin.get.disallow_nul = Off;suhosin.post.disallow_nul = Off;suhosin.request.disallow_nul = Off; Link to comment Share on other sites More sharing options...
Recommended Posts