[SPT/CWIS] Re: large classification schemes (fwd)

Virginia Knight Virginia.Knight at bristol.ac.uk
Mon Apr 10 04:11:10 CDT 2006 

We are still having difficulty getting round the restriction to 200 
variables imposed by the patch. In future PHP installations are more likely 
to be heavily patched (sysadmins tend to be suspicious of PHP because of 
the risk of security holes, and accordingly keen to strengthen it). This 
kind of problem is therefore going to become more common, and the 
documentation or list of installation requirements should mention it.

Virginia Knight

>>
>> ---------- Forwarded Message ----------
>> Date: 23 March 2006 11:46 +0000
>> From: Virginia Knight <Virginia.Knight at bristol.ac.uk>
>> To: spt-cwis-users at scout.wisc.edu
>> Cc: a.fernandez at bris.ac.uk
>> Subject: large classification schemes
>>
>> We have set up a classification scheme for our SPT installation with
>> about 1,000 entries. When I try to create a new record now I get dumped
>> out of my
>> session with the words 'You are not authorized to access this area of the
>> system'. We think this is because the processing of the large
>> classification scheme is somehow being mistaken for a denial of service
>> attack. Has anyone else experienced this? The error message in our web
>> logs
>> is:
>>
>> [error] ALERT - configured request variable limit exceeded - dropped
>> class_198 (attacker
>> '137.222.34.12',file'/usr/local/projects/rigt/WWW/SPT/MetadataTool/SPT--A
>> ss
>> ignClassification.php')
>>
>> ---------- End Forwarded Message ----------
>> I got the following reply. Does it make sense?
>>
>> We're using CWIS for AMSER (http://amser.org), and have 400,000+ LCC
>>    entries loaded there for classifying resources, so I'm pretty sure
>>    this isn't anything inherent in the software itself or a standard PHP
>>    configuration.
>>
>>    Are you using the Hardened-PHP patches or Gentoo Linux (which I think
>>    now incorporates Hardened-PHP or something like it)?  I believe they
>> add
>>    one or more "max_vars" PHP configuration variables that restrict the
>>    number of values that may be submitted with a POST request.  If this
>>    restriction is set too low it could break the classification
>>    assignment mechanism in CWIS.
>>
>>    Ed
>> ------------------
>> Virginia
----------------------
Virginia Knight, Institute for Learning and Research Technology
Tel: +44 (0)117 928 7088  Fax:  +44 (0)117 928 7112
University of Bristol, 8-10 Berkeley Square, Bristol BS8 1HH
Virginia.Knight at bristol.ac.uk
Official homepage: http://www.ilrt.bris.ac.uk/aboutus/staff?search=cmvhk
Personal homepage: http://www.ilrt.bris.ac.uk/~ggvhk/virginia.html
ILRT homepage: http://www.ilrt.bristol.ac.uk

More information about the SPT-CWIS-Users mailing list