Suhosin: Include filename .phar is not allowed

When trying to run the PEAR installer go-pear.phar on one of our servers, it exited without any notice and without seeming to do anything.

After some searching I found that the syslog contained the error message:

Dec 15 12:59:47 scms suhosin[13658]:
  ALERT - Include filename ('phar://go-pear.phar/index.php')
  is an URL that is not allowed
  (attacker 'REMOTE_ADDR not set', file '/root/go-pear.phar', line 1236)

Dec 15 12:59:47 scms suhosin[13658]:
  ALERT - script tried to disable memory_limit by setting it to a negative value
   -1 bytes which is not allowed
  (attacker 'REMOTE_ADDR not set', file 'unknown')

So I knew it was Suhosin, the "advanced protection module for PHP5". It's enabled by default on Debian and Ubuntu.

Instead of simply disabling it, I allowed the phar stream wrapper with Suhosin:

$ emacs /etc/php5/cli/conf.d/suhosin.ini
.. add the following line:
suhosin.executor.include.whitelist = phar

Written by Christian Weiske.

Comments? Please send an e-mail. Or Reply or Like.