In some recent development work, I ran into a brick wall with Suhosin. I have both the patch and extension installed on all of my dev boxes on all PHP versions I test with. I found the need to change a configuration directive, but I did not want to change that value in the suhosin server configuration, I wanted to change it via either .htaccess or PHP’s ‘user.ini’ file.

I did some quick searches and from what I could find, everyone was simply pointing at changing the suhosin.perdir directive to ‘p’. This was all fine and well for changing any of the suhosin POST directives, but didn’t help with the executor directives that I really needed to adjust. At first I thought there was a bug with Suhosin. I downloaded the source, tried changing some things around, commenting out some code and when I ran a quick grep of the code, something stood out that clarified how the perdir directive works. The ‘p’ that everyone was alluding to, but no one was clarifying, was for suhosin.post directives. After looking at the source code for the function that caught my eye, it all made sense…

        /* no deactivation so check the flags */
        while (*tmp) {
            switch (*tmp) {
                case 'l':
                case 'L':
                    SUHOSIN_G(log_perdir) = 1;
                    break;
                case 'e':
                case 'E':
                    SUHOSIN_G(exec_perdir) = 1;
                    break;
                case 'g':
                case 'G':
                    SUHOSIN_G(get_perdir) = 1;
                    break;
                case 'c':
                case 'C':
                    SUHOSIN_G(cookie_perdir) = 1;
                    break;
                case 'p':
                case 'P':
                    SUHOSIN_G(post_perdir) = 1;
                    break;
                case 'r':
                case 'R':
                    SUHOSIN_G(request_perdir) = 1;
                    break;
                case 's':
                case 'S':
                    SUHOSIN_G(sql_perdir) = 1;
                    break;
                case 'u':
                case 'U':
                    SUHOSIN_G(upload_perdir) = 1;
                    break;
                case 'm':
                case 'M':
                    SUHOSIN_G(misc_perdir) = 1;
                    break;
            }
            tmp++;
        }

As you can see from the code above, the perdir directive takes a string of characters, each of which represents what section of the suhosin extension configuration can be altered by the user via .htaccess or user.ini. Once I added ‘e’ to the perdir directive, I was then able to overload the executor directive I needed and was a happy camper.

Unfortunately the perdir directive is not even documented on the Suhosin website, it only appears in a phpinfo page, or by looking at the default suhosin.ini included with the source code or your appropriate distrubution’s package. If anyone has a link to somewhere that explains this that I may have missed, please, point me to it. Hopefully this will help someone else from hitting a brick wall like I did.