added ini section [suhosin]

author: Ben Fuhrmannek 2016-05-02 19:08:38 +0200
committer: Ben Fuhrmannek 2016-05-02 19:08:38 +0200
commit: 765706eb5a01756542faf5609b303927bd6f43dc (patch)
tree: 391edc00ef0d60c6c91959cd749649f6ff25ffee /suhosin.ini
parent: 66d15abefdb5df30f25b774339067728c0b4b091 (diff)
1 files changed, 359 insertions, 249 deletions
diff --git a/suhosin.ini b/suhosin.ini
index 711baf6..eaf566b 100644
--- a/suhosin.ini
+++ b/suhosin.ini
@@ -1,12 +1,13 @@
 ;extension=suhosin.so
+[suhosin]
+; 
 ; =====================
 ; Logging Configuration
 ; =====================
+; 
 ; suhosin.log.syslog
 ; ------------------
+; 
 ; * Type: Integer
 ; * Default: S_ALL & ~S_SQL
 ; 
@@ -49,12 +50,13 @@
 ; 
 ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
 ; the numeric value, e.g. `suhosin.log.syslog=511`.
-; 
+;
 ;suhosin.log.syslog = S_ALL & ~S_SQL
 ;
+; 
 ; suhosin.log.syslog.facility
 ; ---------------------------
+; 
 ; * Type: Integer
 ; * Default: LOG_USER
 ; 
@@ -104,12 +106,13 @@
 ; +--------------+-------+
 ; | LOG_LOCAL7   | 31    |
 ; +--------------+-------+
-; 
+;
 ;suhosin.log.syslog.facility = LOG_USER
 ;
+; 
 ; suhosin.log.syslog.priority
 ; ---------------------------
+; 
 ; * Type: Integer
 ; * Default: LOG_ALERT
 ; 
@@ -137,12 +140,13 @@
 ; +------------+-------+
 ; |LOG_ERR     | 7     |
 ; +------------+-------+
-; 
+;
 ;suhosin.log.syslog.priority = LOG_ALERT
 ;
+; 
 ; suhosin.log.sapi
 ; ----------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -151,12 +155,13 @@
 ; 
 ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
 ; the numeric value.
-; 
+;
 ;suhosin.log.sapi = 0
 ;
+; 
 ; suhosin.log.stdout
 ; ------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -166,14 +171,15 @@
 ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
 ; the numeric value.
 ; 
-; IMPORTANT NOTE: This option is meant for debugging purposes and unittests only
+; **IMPORTANT NOTE**: This option is meant for debugging purposes and unittests
-; and should not be used in production.
+; only and should not be used in production.
-; 
+;
 ;suhosin.log.stdout = 0
 ;
+; 
 ; suhosin.log.file
 ; ----------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -182,35 +188,38 @@
 ; 
 ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
 ; the numeric value.
-; 
+;
 ;suhosin.log.file = 0
 ;
+; 
 ; suhosin.log.file.name
 ; ---------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Defines the full path to a dedicated Suhosin log file.
-; 
+;
 ;suhosin.log.file.name = 
 ;
+; 
 ; suhosin.log.file.time
 ; ---------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Specifies if suhosin.log.file contains timestamp for each log entry.
 ; 
-; IMPORTANT NOTE: This option is meant for debugging purposes and unittests only
+; **IMPORTANT NOTE**: This option is meant for debugging purposes and unittests
-; and should not be used in production.
+; only and should not be used in production.
-; 
+;
 ;suhosin.log.file.time = On
 ;
+; 
 ; suhosin.log.script
 ; ------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -221,26 +230,28 @@
 ; 
 ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
 ; the numeric value.
-; 
+;
 ;suhosin.log.script = 0
 ;
+; 
 ; suhosin.log.script.name
 ; -----------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Defines the full path to an external logging script. The script is called with
 ; 2 parameters. The first one is the alert class in string notation and the
 ; second parameter is the log message. This can be used for example to mail
 ; failing MySQL queries to your email address, because on a production system
 ; these things should never happen (S_SQL not yet supported by Suhosin).
-; 
+;
 ;suhosin.log.script.name = 
 ;
+; 
 ; suhosin.log.phpscript
 ; ---------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -253,37 +264,40 @@
 ; 
 ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
 ; the numeric value.
-; 
+;
 ;suhosin.log.phpscript = 0
 ;
+; 
 ; suhosin.log.phpscript.name
 ; --------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Defines the full path to a PHP logging script. The script is called with 2
 ; variables registered in the current scope: SUHOSIN_ERRORCLASS and
 ; SUHOSIN_ERROR. The first one is the alert class and the second variable is the
 ; log message. This can be used for example to mail attempted remote URL include
 ; attacks to your email address.
-; 
+;
 ;suhosin.log.phpscript.name = 
 ;
+; 
 ; suhosin.log.phpscript.is_safe
 ; -----------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; Disables open_basedir (and safe_mode for older PHP versions < 5.4) when
 ; executing suhosin.log.phpscript.name.
-; 
+;
 ;suhosin.log.phpscript.is_safe = Off
 ;
+; 
 ; suhosin.log.use-x-forwarded-for
 ; -------------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
@@ -292,16 +306,17 @@
 ; variable. With this switch it is possible to change this behavior to read the
 ; IP from the X-Forwarded-For HTTP header. This is for example necessary when
 ; your PHP server runs behind a reverse proxy.
-; 
+;
 ;suhosin.log.use-x-forwarded-for = Off
 ;
+; 
 ; ================
 ; Executor Options
 ; ================
+; 
 ; suhosin.executor.max_depth
 ; --------------------------
+; 
 ; * Type: Integer
 ; * Default: 750
 ; 
@@ -311,12 +326,13 @@
 ; disables this feature.
 ; 
 ; (Before 0.9.37, the default value was 0.)
-; 
+;
 ;suhosin.executor.max_depth = 750
 ;
+; 
 ; suhosin.executor.include.max_traversal
 ; --------------------------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -324,14 +340,15 @@
 ; attack and stopped. A value of '2' will block '../../etc/passwd', while a value
 ; of '3' will allow it. Most PHP applications should work flawlessly with values
 ; '4' or '5'. A value of '0' disables this feature.
-; 
+;
 ;suhosin.executor.include.max_traversal = 0
 ;
+; 
 ; suhosin.executor.include.whitelist
 ; ----------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Comma separated whitelist of URL schemes that are allowed to be included from
 ; include or require statements. Additionally to URL schemes it is possible to
@@ -344,25 +361,27 @@
 ; * If both suhosin.executor.include.whitelist and
 ; suhosin.executor.include.blacklist are unset or empty, all URLs will be
 ; blocked. This is the default.
-; 
+;
 ;suhosin.executor.include.whitelist = 
 ;
+; 
 ; suhosin.executor.include.blacklist
 ; ----------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Comma separated blacklist of URL schemes that are not allowed to be included
 ; from include or require statements. Additionally to URL schemes it is possible
 ; to specify the beginning of allowed URLs. (f.e.: php://stdin) If no blacklist
 ; and no whitelist is specified all URL schemes are forbidden.
-; 
+;
 ;suhosin.executor.include.blacklist = 
 ;
+; 
 ; suhosin.executor.include.allow_writable_files
 ; ---------------------------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
@@ -371,40 +390,43 @@
 ; 
 ; Note: Some software such as web-installers or web-based plugin installers won't
 ; work out of the box with this flag turned off.
-; 
+;
 ;suhosin.executor.include.allow_writable_files = On
 ;
+; 
 ; suhosin.executor.func.whitelist
 ; -------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Comma separated whitelist of functions that are allowed to be called. If the
 ; whitelist is empty the blacklist is evaluated, otherwise calling a function not
 ; in the whitelist will terminate the script and get logged.
 ; 
 ; Note: This setting deactivates suhosin.executor.func.blacklist.
-; 
+;
 ;suhosin.executor.func.whitelist = 
 ;
+; 
 ; suhosin.executor.func.blacklist
 ; -------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Comma separated blacklist of functions that are not allowed to be called. If no
 ; whitelist is given, calling a function within the blacklist will terminate the
 ; script and get logged.
-; 
+;
 ;suhosin.executor.func.blacklist = 
 ;
+; 
 ; suhosin.executor.eval.whitelist
 ; -------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Comma separated whitelist of functions that are allowed to be called from
 ; within eval(). If the whitelist is empty the blacklist is evaluated, otherwise
@@ -412,37 +434,40 @@
 ; logged. Please read the instructions carefully.
 ; 
 ; Note: This setting deactivates suhosin.executor.eval.blacklist.
-; 
+;
 ;suhosin.executor.eval.whitelist = 
 ;
+; 
 ; suhosin.executor.eval.blacklist
 ; -------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Comma separated blacklist of functions that are not allowed to be called from
 ; within eval(). If no whitelist is given, calling a function within the
 ; blacklist will terminate the script and get logged. Please read the
 ; instructions carefully.
-; 
+;
 ;suhosin.executor.eval.blacklist = 
 ;
+; 
 ; suhosin.executor.disable_eval
 ; -----------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; eval() is a very dangerous statement and therefore you might want to disable it
 ; completely. Deactivating it will however break lots of scripts. Because every
 ; violation is logged, this allows finding all places where eval() is used.
-; 
+;
 ;suhosin.executor.disable_eval = Off
 ;
+; 
 ; suhosin.executor.disable_emodifier
 ; ----------------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
@@ -451,28 +476,30 @@
 ; and test where in the application it is used. The developer using the /e
 ; modifier should be made aware that he should use preg_replace_callback()
 ; instead.
-; 
+;
 ;suhosin.executor.disable_emodifier = Off
 ;
+; 
 ; suhosin.executor.allow_symlink
 ; ------------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; This flag reactivates symlink() when open_basedir is used, which is disabled by
 ; default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used is
 ; actually a security risk.
-; 
+;
 ;suhosin.executor.allow_symlink = Off
 ;
+; 
 ; ============
 ; Misc Options
 ; ============
+; 
 ; suhosin.simulation
 ; ------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
@@ -480,12 +507,13 @@
 ; simulation mode with this flag. When Suhosin runs in simulation mode,
 ; violations are logged as usual, but nothing is blocked or removed from the
 ; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
-; 
+;
 ;suhosin.simulation = Off
 ;
+; 
 ; suhosin.perdir
 ; --------------
+; 
 ; * Type: String
 ; * Default: "0"
 ; 
@@ -494,48 +522,52 @@
 ; (get), "c" (cookie), "p" (post), "r" (request), "s" (sql), "u" (upload), "m"
 ; (misc) or any combination, e.g. "legcprsum" to allow everything. Both "0" and
 ; no value disable this feature.
-; 
+;
 ;suhosin.perdir = "0"
 ;
+; 
 ; suhosin.protectkey
 ; ------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Prevent Suhosin's secret key material (suhosin.cookie.cryptkey,
 ; suhosin.session.cryptkey, suhosin.rand.seedingkey) from being exposed by
 ; phpinfo().
-; 
+;
 ;suhosin.protectkey = On
 ;
+; 
 ; suhosin.coredump
 ; ----------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; Controls if suhosin coredumps when the optional suhosin patch detects a buffer
 ; overflow, memory corruption or double free. This is only for debugging purposes
 ; and should not be activated.
-; 
+;
 ;suhosin.coredump = Off
 ;
+; 
 ; suhosin.stealth
 ; ---------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
-; controls if suhosin loads in stealth mode when it is not the only
+; Controls if suhosin loads in stealth mode when it is not the only
 ; zend_extension (Required for full compatibility with certain encoders that
 ; consider open source untrusted. e.g. ionCube, Zend)
-; 
+;
 ;suhosin.stealth = On
 ;
+; 
 ; suhosin.apc_bug_workaround
 ; --------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
@@ -544,36 +576,39 @@
 ; will overwrite the information Suhosin stores in this slot. When this flag is
 ; set Suhosin will request 2 Slots and use the second one. This allows working
 ; correctly with these buggy APC versions.
-; 
+;
 ;suhosin.apc_bug_workaround = Off
 ;
+; 
 ; suhosin.disable.display_errors
 ; ------------------------------
+; 
 ; * Type: String
 ; * Default: 0
 ; 
 ; Prevent PHP from setting display_errors programmatically. "0" means off. Any
 ; one of "1", "on", "yes", "true" means on. "fail" or "2" (or greater values)
 ; will let PHP know that the value change failed.
-; 
+;
 ;suhosin.disable.display_errors = 0
 ;
+; 
 ; suhosin.multiheader
 ; -------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; This directive controls if multiple headers are allowed or not in a header()
 ; call. By default the Suhosin forbids this. (HTTP headers spanning multiple
 ; lines are still allowed).
-; 
+;
 ;suhosin.multiheader = Off
 ;
+; 
 ; suhosin.mail.protect
 ; --------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -593,12 +628,13 @@
 ; +-------+--------------------------------------------------------------------+
 ; 
 ; Logging of this class of alerts is controlled by the new S_MAIL constant.
-; 
+;
 ;suhosin.mail.protect = 0
 ;
+; 
 ; suhosin.memory_limit
 ; --------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -609,16 +645,19 @@
 ; Suhosin will disallow scripts setting the memory_limit to a value above this
 ; configured hard limit. This is for example useful if you want to run the script
 ; normally with a limit of 16M but image processing scripts may raise it to 20M.
-; 
+;
 ;suhosin.memory_limit = 0
 ;
+; 
 ; ========================
 ; SQL Injection Protection
 ; ========================
+; This class of features is experimental and still in development. As of Suhosin
+; version 0.9.36 only preliminary MySQL and Mysqli support was added.
+; 
 ; suhosin.sql.bailout_on_error
 ; ----------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
@@ -626,26 +665,28 @@
 ; often spit out a bunch of useful information for possible attackers. When this
 ; configuration directive is turned on, the script will silently terminate, after
 ; the problem has been logged.
-; 
+;
 ;suhosin.sql.bailout_on_error = Off
 ;
+; 
 ; suhosin.sql.user_match
 ; ----------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; (introduced in 0.9.37) The SQL username must match this wildcard pattern or the
 ; connect function will fail and return FALSE. Example: `suhosin.sql.user_match =
 ; public_*`
-; 
+;
 ;suhosin.sql.user_match = 
 ;
+; 
 ; suhosin.sql.user_prefix
 ; -----------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; This is an experimental feature for shared environments. With this
 ; configuration option it is possible to specify a prefix that is automatically
@@ -655,14 +696,15 @@
 ; With this feature it is possible for shared hosters to disallow customers to
 ; connect with the usernames of other customers. This feature is experimental,
 ; because support for PDO and PostgreSQL are not yet implemented.
-; 
+;
 ;suhosin.sql.user_prefix = 
 ;
+; 
 ; suhosin.sql.user_postfix
 ; ------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; This is an experimental feature for shared environments. With this
 ; configuration option it is possible to specify a postfix that is automatically
@@ -672,12 +714,13 @@
 ; With this feature it is possible for shared hosters to disallow customers to
 ; connect with the usernames of other customers. This feature is experimental,
 ; because support for PDO and PostgreSQL are not yet implemented.
-; 
+;
 ;suhosin.sql.user_postfix = 
 ;
+; 
 ; suhosin.sql.comment
 ; -------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -687,24 +730,26 @@
 ; 
 ; Note: Mysql conditional statements starting with ``/*!`` are exempt if used
 ; with Mysqli.
-; 
+;
 ;suhosin.sql.comment = 0
 ;
+; 
 ; suhosin.sql.opencomment
 ; -----------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
 ; This is an experimental feature.
 ; Alert if a MySQL comment was started but not closed: ``/*`` without ``*/``. A
 ; value of 1 logs the alert; 2 or greater let the call fail.
-; 
+;
 ;suhosin.sql.opencomment = 0
 ;
+; 
 ; suhosin.sql.multiselect
 ; -----------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -714,74 +759,80 @@
 ; 
 ; Note: This flag will recognise multiple statements as well as subselects, e.g.
 ; "SELECT 1; SELECT 2" and "SELECT * FROM (SELECT 1)".
-; 
+;
 ;suhosin.sql.multiselect = 0
 ;
+; 
 ; suhosin.sql.union
 ; -----------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
 ; This is an experimental feature.
 ; Alert if an SQL query contains one or more UNIONs.
 ; A value of 1 logs the alert; 2 or greater let the call fail.
-; 
+;
 ;suhosin.sql.union = 0
 ;
+; 
 ; ==============================
 ; Transparent Encryption Options
 ; ==============================
+; 
 ; suhosin.session.encrypt
 ; -----------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Flag that decides if the transparent session encryption is activated or not.
-; 
+;
 ;suhosin.session.encrypt = On
 ;
+; 
 ; suhosin.session.cryptkey
 ; ------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Session data can be encrypted transparently. The encryption key used consists
 ; of this user defined string (which can be altered by a script via ini_set())
 ; and optionally the User-Agent, the Document-Root and 0-4 octects of the
 ; REMOTE_ADDR.
-; 
+;
 ;suhosin.session.cryptkey = 
 ;
+; 
 ; suhosin.session.cryptua
 ; -----------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; Flag that decides if the transparent session encryption key depends on the
 ; User-Agent field. (When activated this feature transparently adds a little bit
 ; protection against session fixation/hijacking attacks)
-; 
+;
 ;suhosin.session.cryptua = Off
 ;
+; 
 ; suhosin.session.cryptdocroot
 ; ----------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Flag that decides if the transparent session encryption key depends on the
 ; Documentroot field.
-; 
+;
 ;suhosin.session.cryptdocroot = On
 ;
+; 
 ; suhosin.session.cryptraddr
 ; --------------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -791,12 +842,13 @@
 ; a session. But this feature might be interesting for admin interfaces or
 ; intranets. When used wisely this is a transparent protection against session
 ; hijacking/fixation. This feature supports IPv4 only.
-; 
+;
 ;suhosin.session.cryptraddr = 0
 ;
+; 
 ; suhosin.session.checkraddr
 ; --------------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -805,34 +857,37 @@
 ; part of the encryption key, so that the same session can be used for different
 ; areas with different protection levels on the site. This feature supports IPv4
 ; only.
-; 
+;
 ;suhosin.session.checkraddr = 0
 ;
+; 
 ; suhosin.cookie.encrypt
 ; ----------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; Flag that decides if the transparent cookie encryption is activated or not.
-; 
+;
 ;suhosin.cookie.encrypt = Off
 ;
+; 
 ; suhosin.cookie.cryptkey
 ; -----------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; Cookies can be encrypted transparently. The encryption key used consists of
 ; this user defined string and optionally the User-Agent, the Document-Root and
 ; 0-4 octects of the REMOTE_ADDR.
-; 
+;
 ;suhosin.cookie.cryptkey = 
 ;
+; 
 ; suhosin.cookie.cryptua
 ; ----------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
@@ -840,23 +895,25 @@
 ; User-Agent field. (When activated this feature transparently adds a little bit
 ; protection against session fixation/hijacking attacks (if only session cookies
 ; are allowed))
-; 
+;
 ;suhosin.cookie.cryptua = On
 ;
+; 
 ; suhosin.cookie.cryptdocroot
 ; ---------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Flag that decides if the transparent cookie encryption key depends on the
 ; Documentroot field.
-; 
+;
 ;suhosin.cookie.cryptdocroot = On
 ;
+; 
 ; suhosin.cookie.cryptraddr
 ; -------------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -866,12 +923,13 @@
 ; a session. But this feature might be interesting for admin interfaces or
 ; intranets. When used wisely this is a transparent protection against session
 ; hijacking/fixation. This feature supports IPv4 only.
-; 
+;
 ;suhosin.cookie.cryptraddr = 0
 ;
+; 
 ; suhosin.cookie.checkraddr
 ; -------------------------
+; 
 ; * Type: Integer
 ; * Default: 0
 ; 
@@ -879,43 +937,50 @@
 ; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not part
 ; of the encryption key, so that the same cookie can be used for different areas
 ; with different protection levels on the site. This feature supports IPv4 only.
-; 
+;
 ;suhosin.cookie.checkraddr = 0
 ;
+; 
 ; suhosin.cookie.cryptlist
 ; ------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; In case not all cookies are supposed to get encrypted this is a comma separated
 ; list of cookie names that should get encrypted. All other cookies will not get
 ; touched.
 ; 
+; Note: Cookies handled on client side with JavaScript as well as on server side
+; should not be encrypted, e.g. listed in suhosin.cookie.plainlist or omitted in
+; suhosin.cookie.cryptlist.
+;
 ;suhosin.cookie.cryptlist = 
 ;
+; 
 ; suhosin.cookie.plainlist
 ; ------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; In case some cookies should not be encrypted this is a comma separated list of
 ; cookies that do not get encrypted. All other cookies will be encrypted.
 ; 
 ; Note: This setting deactivates suhosin.cookie.cryptlist.
-; 
+;
 ;suhosin.cookie.plainlist = 
 ;
+; 
 ; =================
 ; Filtering Options
 ; =================
+; 
 ; suhosin.filter.action
 ; ---------------------
+; 
 ; * Type: Mixed
-; * Default:
+; * Default: 
 ; 
 ; Defines the reaction of Suhosin on a filter violation. Following possible
 ; actions are supported
@@ -937,12 +1002,13 @@
 ; |                               | the requested script. Optionally set a     |
 ; |                               | specific HTTP response code                |
 ; +-------------------------------+--------------------------------------------+
-; 
+;
 ;suhosin.filter.action = 
 ;
+; 
 ; suhosin.cookie.max_array_depth
 ; ------------------------------
+; 
 ; * Type: Integer
 ; * Default: 50
 ; 
@@ -950,86 +1016,94 @@
 ; the COOKIE.
 ; 
 ; Note: Array depth is not the number of elements within an array.
-; 
+;
 ;suhosin.cookie.max_array_depth = 50
 ;
+; 
 ; suhosin.cookie.max_array_index_length
 ; -------------------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
 ; Defines the maximum length of array indices for variables registered through
 ; the COOKIE.
-; 
+;
 ;suhosin.cookie.max_array_index_length = 64
 ;
+; 
 ; suhosin.cookie.max_name_length
 ; ------------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
 ; Defines the maximum length of variable names for variables registered through
 ; the COOKIE. For array variables this is the name in front of the indices.
-; 
+;
 ;suhosin.cookie.max_name_length = 64
 ;
+; 
 ; suhosin.cookie.max_totalname_length
 ; -----------------------------------
+; 
 ; * Type: Integer
 ; * Default: 256
 ; 
 ; Defines the maximum length of the total variable name when registered through
 ; the COOKIE. For array variables this includes all indices.
-; 
+;
 ;suhosin.cookie.max_totalname_length = 256
 ;
+; 
 ; suhosin.cookie.max_value_length
 ; -------------------------------
+; 
 ; * Type: Integer
 ; * Default: 10000
 ; 
 ; Defines the maximum length of a variable that is registered through the COOKIE.
-; 
+;
 ;suhosin.cookie.max_value_length = 10000
 ;
+; 
 ; suhosin.cookie.max_vars
 ; -----------------------
+; 
 ; * Type: Integer
 ; * Default: 100
 ; 
 ; Defines the maximum number of variables that may be registered through the
 ; COOKIE.
-; 
+;
 ;suhosin.cookie.max_vars = 100
 ;
+; 
 ; suhosin.cookie.disallow_nul
 ; ---------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-; 
+;
 ;suhosin.cookie.disallow_nul = On
 ;
+; 
 ; suhosin.cookie.disallow_ws
 ; --------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Ignore cookies with names starting with whitespace.
-; 
+;
 ;suhosin.cookie.disallow_ws = On
 ;
+; 
 ; suhosin.get.max_array_depth
 ; ---------------------------
+; 
 ; * Type: Integer
 ; * Default: 50
 ; 
@@ -1037,85 +1111,93 @@
 ; the URL.
 ; 
 ; Note: Array depth is not the number of elements within an array.
-; 
+;
 ;suhosin.get.max_array_depth = 50
 ;
+; 
 ; suhosin.get.max_array_index_length
 ; ----------------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
 ; Defines the maximum length of array indices for variables registered through
 ; the URL.
-; 
+;
 ;suhosin.get.max_array_index_length = 64
 ;
+; 
 ; suhosin.get.max_name_length
 ; ---------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
 ; Defines the maximum length of variable names for variables registered through
 ; the URL. For array variables this is the name in front of the indices.
-; 
+;
 ;suhosin.get.max_name_length = 64
 ;
+; 
 ; suhosin.get.max_totalname_length
 ; --------------------------------
+; 
 ; * Type: Integer
 ; * Default: 256
 ; 
 ; Defines the maximum length of the total variable name when registered through
 ; the URL. For array variables this includes all indices.
-; 
+;
 ;suhosin.get.max_totalname_length = 256
 ;
+; 
 ; suhosin.get.max_value_length
 ; ----------------------------
+; 
 ; * Type: Integer
 ; * Default: 512
 ; 
 ; Defines the maximum length of a variable that is registered through the URL.
-; 
+;
 ;suhosin.get.max_value_length = 512
 ;
+; 
 ; suhosin.get.max_vars
 ; --------------------
+; 
 ; * Type: Integer
 ; * Default: 100
 ; 
 ; Defines the maximum number of variables that may be registered through the URL.
-; 
+;
 ;suhosin.get.max_vars = 100
 ;
+; 
 ; suhosin.get.disallow_nul
 ; ------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-; 
+;
 ;suhosin.get.disallow_nul = On
 ;
+; 
 ; suhosin.get.disallow_ws
 ; -----------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; Ignore GET parameters with names starting with whitespace.
-; 
+;
 ;suhosin.get.disallow_ws = Off
 ;
+; 
 ; suhosin.post.max_array_depth
 ; ----------------------------
+; 
 ; * Type: Integer
 ; * Default: 50
 ; 
@@ -1123,113 +1205,121 @@
 ; POST request.
 ; 
 ; Note: Array depth is not the number of elements within an array.
-; 
+;
 ;suhosin.post.max_array_depth = 50
 ;
+; 
 ; suhosin.post.max_array_index_length
 ; -----------------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
 ; Defines the maximum length of array indices for variables registered through a
 ; POST request.
-; 
+;
 ;suhosin.post.max_array_index_length = 64
 ;
+; 
 ; suhosin.post.max_name_length
 ; ----------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
 ; Defines the maximum length of variable names for variables registered through a
 ; POST request. For array variables this is the name in front of the indices.
-; 
+;
 ;suhosin.post.max_name_length = 64
 ;
+; 
 ; suhosin.post.max_totalname_length
 ; ---------------------------------
+; 
 ; * Type: Integer
 ; * Default: 256
 ; 
 ; Defines the maximum length of the total variable name when registered through a
 ; POST request. For array variables this includes all indices.
-; 
+;
 ;suhosin.post.max_totalname_length = 256
 ;
+; 
 ; suhosin.post.max_value_length
 ; -----------------------------
+; 
 ; * Type: Integer
 ; * Default: 1000000
 ; 
 ; Defines the maximum length of a variable that is registered through a POST
 ; request.
-; 
+;
 ;suhosin.post.max_value_length = 1000000
 ;
+; 
 ; suhosin.post.max_vars
 ; ---------------------
+; 
 ; * Type: Integer
 ; * Default: 1000
 ; 
 ; Defines the maximum number of variables that may be registered through a POST
 ; request.
-; 
+;
 ;suhosin.post.max_vars = 1000
 ;
+; 
 ; suhosin.post.disallow_nul
 ; -------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-; 
+;
 ;suhosin.post.disallow_nul = On
 ;
+; 
 ; suhosin.post.disallow_ws
 ; ------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; Ignore POST parameters with names starting with whitespace.
-; 
+;
 ;suhosin.post.disallow_ws = Off
 ;
+; 
 ; suhosin.request.array_index_blacklist
 ; -------------------------------------
+; 
 ; * Type: String
 ; * Default: "'\"+<>;()"
 ; 
 ; Defines a character blacklist for array indices not allowed in user input.
-; 
+;
-; Note: The default value also contained '-' in 0.9.37, which was removed in
-; 0.9.37.1 due to incompatibility issues.
-; 
 ;suhosin.request.array_index_blacklist = "'\"+<>;()"
 ;
+; 
 ; suhosin.request.array_index_whitelist
 ; -------------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
+; 
 ; * Example: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
 ; 
 ; Defines a character whitelist for array indices allowed in user input.
 ; 
 ; Note: This setting deactivates suhosin.request.array_index_blacklist.
-; 
+;
 ;suhosin.request.array_index_whitelist = 
 ;
+; 
 ; suhosin.request.max_array_depth
 ; -------------------------------
+; 
 ; * Type: Integer
 ; * Default: 50
 ; 
@@ -1238,24 +1328,26 @@
 ; POST, COOKIE configuration directives.
 ; 
 ; Note: Array depth is not the number of elements within an array.
-; 
+;
 ;suhosin.request.max_array_depth = 50
 ;
+; 
 ; suhosin.request.max_array_index_length
 ; --------------------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
 ; Defines the maximum length of array indices for variables registered through
 ; GET, POST or COOKIE. This setting is also an upper limit for the separate GET,
 ; POST, COOKIE configuration directives.
-; 
+;
 ;suhosin.request.max_array_index_length = 64
 ;
+; 
 ; suhosin.request.max_totalname_length
 ; ------------------------------------
+; 
 ; * Type: Integer
 ; * Default: 256
 ; 
@@ -1263,36 +1355,39 @@
 ; the COOKIE, the URL or through a POST request. This is the complete name
 ; string, including all indices. This setting is also an upper limit for the
 ; separate GET, POST, COOKIE configuration directives.
-; 
+;
 ;suhosin.request.max_totalname_length = 256
 ;
+; 
 ; suhosin.request.max_value_length
 ; --------------------------------
+; 
 ; * Type: Integer
 ; * Default: 1000000
 ; 
 ; Defines the maximum length of a variable that is registered through the COOKIE,
 ; the URL or through a POST request. This setting is also an upper limit for the
 ; variable origin specific configuration directives.
-; 
+;
 ;suhosin.request.max_value_length = 1000000
 ;
+; 
 ; suhosin.request.max_vars
 ; ------------------------
+; 
 ; * Type: Integer
 ; * Default: 1000
 ; 
 ; Defines the maximum number of variables that may be registered through the
 ; COOKIE, the URL or through a POST request. This setting is also an upper limit
 ; for the variable origin specific configuration directives.
-; 
+;
 ;suhosin.request.max_vars = 1000
 ;
+; 
 ; suhosin.request.max_varname_length
 ; ----------------------------------
+; 
 ; * Type: Integer
 ; * Default: 64
 ; 
@@ -1300,96 +1395,105 @@
 ; that may be registered through the COOKIE, the URL or through a POST request.
 ; This setting is also an upper limit for the variable origin specific
 ; configuration directives.
-; 
+;
 ;suhosin.request.max_varname_length = 64
 ;
+; 
 ; suhosin.request.disallow_nul
 ; ----------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-; 
+;
 ;suhosin.request.disallow_nul = On
 ;
+; 
 ; suhosin.request.disallow_ws
 ; ---------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; Ignore all variables with names starting with whitespace.
-; 
+;
 ;suhosin.request.disallow_ws = Off
 ;
+; 
 ; suhosin.upload.max_uploads
 ; --------------------------
+; 
 ; * Type: Integer
 ; * Default: 25
 ; 
 ; Defines the maximum number of files that may be uploaded with one request.
-; 
+;
 ;suhosin.upload.max_uploads = 25
 ;
+; 
 ; suhosin.upload.max_newlines
 ; ---------------------------
+; 
 ; * Type: Integer
 ; * Default: 100
 ; 
 ; Defines the maximum number of newlines in rfc1867 mime headers.
 ; (added with version 0.9.38)
-; 
+;
 ;suhosin.upload.max_newlines = 100
 ;
+; 
 ; suhosin.upload.disallow_elf
 ; ---------------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; When set to On it is not possible to upload ELF executables.
-; 
+;
 ;suhosin.upload.disallow_elf = On
 ;
+; 
 ; suhosin.upload.disallow_binary
 ; ------------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; When set to On it is not possible to upload binary files.
-; 
+;
 ;suhosin.upload.disallow_binary = Off
 ;
+; 
 ; suhosin.upload.remove_binary
 ; ----------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; When set to On binary content is removed from the uploaded files.
-; 
+;
 ;suhosin.upload.remove_binary = Off
 ;
+; 
 ; suhosin.upload.allow_utf8
 ; -------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
 ; This is an experimental feature. This option allows UTF-8 along with ASCII when
 ; using `suhosin.upload.disallow_binary` or `suhosin.upload.remove_binary`.
-; 
+;
 ;suhosin.upload.allow_utf8 = Off
 ;
+; 
 ; suhosin.upload.verification_script
 ; ----------------------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; This defines the full path to a verification script for uploaded files. The
 ; script gets the temporary filename supplied and has to decide if the upload is
@@ -1397,12 +1501,13 @@
 ; The called script has to write a 1 as first line to standard output to allow
 ; the upload. Any other value or no output at all will result in the file being
 ; deleted.
-; 
+;
 ;suhosin.upload.verification_script = 
 ;
+; 
 ; suhosin.session.max_id_length
 ; -----------------------------
+; 
 ; * Type: Integer
 ; * Default: 128
 ; 
@@ -1410,45 +1515,49 @@
 ; longer session identifier is passed a new session identifier will be created.
 ; This feature is important to fight buffer overflows in 3rd party session
 ; handlers.
-; 
+;
 ;suhosin.session.max_id_length = 128
 ;
+; 
 ; suhosin.server.encode
 ; ---------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Encode potentially dangerous characters in REQUEST_URI and QUERY_STRING with
 ; URL encoding.
-; 
+;
 ;suhosin.server.encode = On
 ;
+; 
 ; suhosin.server.strip
 ; --------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Replace potentially dangerous characters in PHP_SELF, PATH_INFO,
 ; PATH_TRANSLATED and HTTP_USER_AGENT with '?'.
-; 
+;
 ;suhosin.server.strip = On
 ;
+; 
 ; suhosin.rand.seedingkey
 ; -----------------------
+; 
 ; * Type: String
-; * Default:
+; * Default: 
 ; 
 ; This string is added to the entropy pool for seeding the random number
 ; generator.
-; 
+;
 ;suhosin.rand.seedingkey = 
 ;
+; 
 ; suhosin.rand.reseed_every_request
 ; ---------------------------------
+; 
 ; * Type: Boolean
 ; * Default: Off
 ; 
@@ -1456,29 +1565,30 @@
 ; request. Will improve security but decrease performance. In case the system's
 ; entry pool is exhausted, this flag may either significantly increase execution
 ; time or otherwise use less entropy (which is bad).
-; 
+;
 ;suhosin.rand.reseed_every_request = Off
 ;
+; 
 ; suhosin.srand.ignore
 ; --------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Flag that controls if calls to srand() are ignored in favour of Suhosin's own
 ; enhanced seeding - since 0.9.36 calls will trigger auto-reseeding.
-; 
+;
 ;suhosin.srand.ignore = On
 ;
+; 
 ; suhosin.mt_srand.ignore
 ; -----------------------
+; 
 ; * Type: Boolean
 ; * Default: On
 ; 
 ; Flag that controls if calls to mt_srand() are ignored in favour of Suhosin's
 ; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding.
-; 
+;
 ;suhosin.mt_srand.ignore = On
 ;
author	Ben Fuhrmannek	2016-05-02 19:08:38 +0200
committer	Ben Fuhrmannek	2016-05-02 19:08:38 +0200
commit	765706eb5a01756542faf5609b303927bd6f43dc (patch)
tree	391edc00ef0d60c6c91959cd749649f6ff25ffee /suhosin.ini
parent	66d15abefdb5df30f25b774339067728c0b4b091 (diff)