brand new default suhosin.ini with documentation and correct default values

1 files changed, 1138 insertions, 225 deletions

diff --git a/suhosin.ini b/suhosin.ini
index ce8e8e9..9d0bc23 100644
--- a/suhosin.ini
+++ b/suhosin.ini
@@ -1,467 +1,1380 @@
-extension = suhosin.so
-
-; -----------------------------------------------------------------------------
-; This file was taken from Mandriva Linux with their permission
-; -----------------------------------------------------------------------------
-
-[suhosin]
-
-; -----------------------------------------------------------------------------
-; Logging Options
+; =====================
+; Logging Configuration
+; =====================
 
+; suhosin.log.syslog
+; ------------------
+; * Type: Integer
+; * Default: S_ALL & ~S_SQL
+; 
 ; Defines what classes of security alerts are logged to the syslog daemon.
-; Logging of errors of the class S_MEMORY are always logged to syslog, no
-; matter what this configuration says, because a corrupted heap could mean that
-; the other logging options will malfunction during the logging process.
-;suhosin.log.syslog = 
+; Logging of errors of the class S_MEMORY are always logged to syslog, no matter
+; what this configuration says, because a corrupted heap could mean that the
+; other logging options will malfunction during the logging process.
+; 
+; Keep in mind that using the constants is only supported when the Suhosin-Patch
+; is used.
+; 
+; +------------+-----------+----------------------------------------------------+
+; | Constant   |   Value   | Description                                        |
+; +============+===========+====================================================+
+; | S_MEMORY   |   1       | All canary violations and the safe unlink          |
+; |            |           | protection use this class                          |
+; +------------+-----------+----------------------------------------------------+
+; | S_MISC     |   2       | All log messages (f.e. format string protection)   |
+; |            |           | that do not fit in other classes use this class    |
+; +------------+-----------+----------------------------------------------------+
+; | S_VARS     |   4       | All variable filters trigger this class            |
+; +------------+-----------+----------------------------------------------------+
+; | S_FILES    |   8       | All violations triggered by the uploaded files     |
+; |            |           | filter use this class                              |
+; +------------+-----------+----------------------------------------------------+
+; | S_INCLUDE  |  16       | The protection against malicious include filenames |
+; |            |           | use this class                                     |
+; +------------+-----------+----------------------------------------------------+
+; | S_SQL      |  32       | Failed SQL queries are logged with this class      |
+; |            |           | (not yet supported in Suhosin BETA)                |
+; +------------+-----------+----------------------------------------------------+
+; | S_EXECUTOR |  64       | The execution depth protection uses this logging   |
+; |            |           | class                                              |
+; +------------+-----------+----------------------------------------------------+
+; | S_MAIL     | 128       | The mail() header newline protection uses this     |
+; |            |           | logging class                                      |
+; +------------+-----------+----------------------------------------------------+
+; | S_SESSION  | 256       | The transparent session protection uses this       |
+; |            |           | logging class                                      |
+; +------------+-----------+----------------------------------------------------+
+; | S_ALL      | 511       | Combines all classes                               |
+; +------------+-----------+----------------------------------------------------+
+; 
+;suhosin.log.syslog = S_ALL & ~S_SQL
+;
 
+; suhosin.log.syslog.facility
+; ---------------------------
+; * Type: Integer
+; * Default: LOG_USER
+; 
 ; Defines the syslog facility that is used when ALERTs are logged to syslog.
-;suhosin.log.syslog.facility = 
+; Depending on your system type (syslogd) the following facilities are available.
+; Please check your system's include header if the values are the same for your
+; syslogd.
+; 
+; +--------------+-------+
+; | Constant     | Value |
+; +==============+=======+
+; | LOG_KERN     | 8     |
+; +--------------+-------+
+; | LOG_USER     | 9     |
+; +--------------+-------+
+; | LOG_MAIL     | 10    |
+; +--------------+-------+
+; | LOG_DAEMON   | 11    |
+; +--------------+-------+
+; | LOG_AUTH     | 12    |
+; +--------------+-------+
+; | LOG_SYSLOG   | 13    |
+; +--------------+-------+
+; | LOG_LPR      | 14    |
+; +--------------+-------+
+; | LOG_NEWS     | 15    |
+; +--------------+-------+
+; | LOG_UUCP     | 16    |
+; +--------------+-------+
+; | LOG_CRON     | 17    |
+; +--------------+-------+
+; | LOG_AUTHPRIV | 18    |
+; +--------------+-------+
+; | LOG_LOCAL0   | 24    |
+; +--------------+-------+
+; | LOG_LOCAL1   | 25    |
+; +--------------+-------+
+; | LOG_LOCAL2   | 26    |
+; +--------------+-------+
+; | LOG_LOCAL3   | 27    |
+; +--------------+-------+
+; | LOG_LOCAL4   | 28    |
+; +--------------+-------+
+; | LOG_LOCAL5   | 29    |
+; +--------------+-------+
+; | LOG_LOCAL6   | 30    |
+; +--------------+-------+
+; | LOG_LOCAL7   | 31    |
+; +--------------+-------+
+; 
+;suhosin.log.syslog.facility = LOG_USER
+;
 
+; suhosin.log.syslog.priority
+; ---------------------------
+; * Type: Integer
+; * Default: LOG_ALERT
+; 
 ; Defines the syslog priority that is used when ALERTs are logged to syslog.
-;suhosin.log.syslog.priority = 
+; Depending on your system type (syslogd) the following priorities are available.
+; Please check your system's include header if the values are the same for your
+; syslogd.
+; 
+; +------------+-------+
+; |Constant    | Value |
+; +============+=======+
+; |LOG_EMERG   | 0     |
+; +------------+-------+
+; |LOG_ALERT   | 1     |
+; +------------+-------+
+; |LOG_CRIT    | 2     |
+; +------------+-------+
+; |LOG_WARNING | 3     |
+; +------------+-------+
+; |LOG_NOTICE  | 4     |
+; +------------+-------+
+; |LOG_INFO    | 5     |
+; +------------+-------+
+; |LOG_DEBUG   | 6     |
+; +------------+-------+
+; |LOG_ERR     | 7     |
+; +------------+-------+
+; 
+;suhosin.log.syslog.priority = LOG_ALERT
+;
 
+; suhosin.log.sapi
+; ----------------
+; * Type: Integer
+; * Default: S_ALL & ~S_SQL
+; 
 ; Defines what classes of security alerts are logged through the SAPI error log.
-;suhosin.log.sapi = 
+; For a list of available classes see table 1.
+; 
+;suhosin.log.sapi = S_ALL & ~S_SQL
+;
 
-; Defines what classes of security alerts are logged to stdout. Mostly for debugging purposes.
-;suhosin.log.stdout = 
+; suhosin.log.stdout
+; ------------------
+; * Type: Integer
+; * Default: S_ALL & ~S_SQL
+; 
+; Defines what classes of security alerts are logged through STDOUT. For a list
+; of available classes see table 1.
+; 
+;suhosin.log.stdout = S_ALL & ~S_SQL
+;
 
-; Defines what classes of security alerts are logged through the external
-; logging.
-;suhosin.log.script = 
+; suhosin.log.file
+; ----------------
+; * Type: Integer
+; * Default: S_ALL
+; 
+; Defines what classes of security alerts are logged to a separate Suhosin log
+; file set by suhosin.log.file.name.
+; 
+;suhosin.log.file = S_ALL
+;
 
-; Defines what classes of security alerts are logged through the defined PHP
-; script.
-;suhosin.log.phpscript = 0
+; suhosin.log.file.name
+; ---------------------
+; * Type: String
+; * Default:
+; 
+; Defines the full path to a dedicated Suhosin log file.
+; 
+;suhosin.log.file.name = 
+;
 
-; Defines the full path to a external logging script. The script is called with
+; suhosin.log.script
+; ------------------
+; * Type: Integer
+; * Default: 0
+; 
+; Defines what classes of security alerts are logged through the external logging
+; script. For a list of available classes see table 1. An exception is the
+; S_MEMORY class. It cannot be logged by a script, because S_MEMORY is triggered
+; by buffer overflows etc... which means the process is in an unstable state.
+; 
+;suhosin.log.script = 0
+;
+
+; suhosin.log.script.name
+; -----------------------
+; * Type: String
+; * Default:
+; 
+; Defines the full path to an external logging script. The script is called with
 ; 2 parameters. The first one is the alert class in string notation and the
 ; second parameter is the log message. This can be used for example to mail
 ; failing MySQL queries to your email address, because on a production system
-; these things should never happen.
+; these things should never happen (S_SQL not yet supported by Suhosin).
+; 
 ;suhosin.log.script.name = 
+;
+
+; suhosin.log.phpscript
+; ---------------------
+; * Type: Integer
+; * Default: S_ALL
+; 
+; Defines what classes of security alerts are logged through the defined PHP
+; script. For a list of available classes see table 1. Please notice, that only
+; those classes are allowed, that can be triggered during script execution. An
+; exception is the S_MEMORY class. It cannot be logged by a PHP script, because
+; S_MEMORY is triggered by buffer overflows etc... which means the process is in
+; an unstable state.
+; 
+;suhosin.log.phpscript = S_ALL
+;
 
+; suhosin.log.phpscript.name
+; --------------------------
+; * Type: String
+; * Default:
+; 
 ; Defines the full path to a PHP logging script. The script is called with 2
 ; variables registered in the current scope: SUHOSIN_ERRORCLASS and
-; SUHOSIN_ERROR. The first one is the alert class and the second variable is
-; the log message. This can be used for example to mail attempted remote URL
-; include attacks to your email address.
+; SUHOSIN_ERROR. The first one is the alert class and the second variable is the
+; log message. This can be used for example to mail attempted remote URL include
+; attacks to your email address.
+; 
 ;suhosin.log.phpscript.name = 
+;
 
-; Undocumented
+; suhosin.log.phpscript.is_safe
+; -----------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; Disables open_basedir (and safe_mode for older PHP versions < 5.4) when
+; executing suhosin.log.phpscript.name.
+; 
 ;suhosin.log.phpscript.is_safe = Off
+;
 
-; When the Hardening-Patch logs an error the log message also contains the IP
-; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
-; environment variable. With this switch it is possible to change this behavior
-; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
-; when your PHP server runs behind a reverse proxy.
-;suhosin.log.use-x-forwarded-for = Off
-
-; -----------------------------------------------------------------------------
+; ================
 ; Executor Options
+; ================
+
+; suhosin.log.use-x-forwarded-for
+; -------------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; When the Suhosin logs an error the log message also contains the IP of the
+; attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI environment
+; variable. With this switch it is possible to change this behavior to read the
+; IP from the X-Forwarded-For HTTP header. This is for example necessary when
+; your PHP server runs behind a reverse proxy.
+; 
+;suhosin.log.use-x-forwarded-for = Off
+;
 
+; suhosin.executor.max_depth
+; --------------------------
+; * Type: Integer
+; * Default: 0
+; 
 ; Defines the maximum stack depth allowed by the executor before it stops the
-; script. Without this function an endless recursion in a PHP script could
-; crash the PHP executor or trigger the configured memory_limit. A value of
-; "0" disables this feature.
+; script. Without this function an endless recursion in a PHP script could crash
+; the PHP executor or trigger the configured memory_limit. A value of '0'
+; disables this feature.
+; 
 ;suhosin.executor.max_depth = 0
+;
 
-; Defines how many "../" an include filename needs to contain to be considered
-; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
-; value of "3" will allow it. Most PHP applications should work flawlessly with
-; values "4" or "5". A value of "0" disables this feature.
+; suhosin.executor.include.max_traversal
+; --------------------------------------
+; * Type: Integer
+; * Default: 0
+; 
+; Defines how many '../' an include filename needs to contain to be considered an
+; attack and stopped. A value of '2' will block '../../etc/passwd', while a value
+; of '3' will allow it. Most PHP applications should work flawlessly with values
+; '4' or '5'. A value of '0' disables this feature.
+; 
 ;suhosin.executor.include.max_traversal = 0
+;
 
+; suhosin.executor.include.whitelist
+; ----------------------------------
+; * Type: String
+; * Default:
+; 
 ; Comma separated whitelist of URL schemes that are allowed to be included from
 ; include or require statements. Additionally to URL schemes it is possible to
 ; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
 ; specified, then the blacklist is evaluated.
+; 
 ;suhosin.executor.include.whitelist = 
+;
 
+; suhosin.executor.include.blacklist
+; ----------------------------------
+; * Type: String
+; * Default:
+; 
 ; Comma separated blacklist of URL schemes that are not allowed to be included
-; from include or require statements. Additionally to URL schemes it is
-; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
-; blacklist and no whitelist is specified all URL schemes are forbidden.
+; from include or require statements. Additionally to URL schemes it is possible
+; to specify the beginning of allowed URLs. (f.e.: php://stdin) If no blacklist
+; and no whitelist is specified all URL schemes are forbidden.
+; 
 ;suhosin.executor.include.blacklist = 
+;
 
-; Defines if PHP is allows to run code from files that are writable by the
-; current process. If a file is created or modified by a PHP process, there
-; is a potential danger of code injection. Only turn this on if you are sure
-; that your application does not require writable PHP files.
+; suhosin.executor.include.allow_writable_files
+; ---------------------------------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Turn this flag off to prevent PHP from executing writable PHP files. This can
+; prevent attackers from executing code that was uploaded before.
+; 
+; Note: Some software such as web-installers or web-based plugin installers won't
+; work out of the box with this flag turned off.
+; 
 ;suhosin.executor.include.allow_writable_files = On
+;
 
+; suhosin.executor.func.whitelist
+; -------------------------------
+; * Type: String
+; * Default:
+; 
 ; Comma separated whitelist of functions that are allowed to be called. If the
-; whitelist is empty the blacklist is evaluated, otherwise calling a function
-; not in the whitelist will terminate the script and get logged.
+; whitelist is empty the blacklist is evaluated, otherwise calling a function not
+; in the whitelist will terminate the script and get logged.
+; 
 ;suhosin.executor.func.whitelist = 
+;
 
-; Comma separated blacklist of functions that are not allowed to be called. If
-; no whitelist is given, calling a function within the blacklist will terminate
-; the script and get logged. 
+; suhosin.executor.func.blacklist
+; -------------------------------
+; * Type: String
+; * Default:
+; 
+; Comma separated blacklist of functions that are not allowed to be called. If no
+; whitelist is given, calling a function within the blacklist will terminate the
+; script and get logged.
+; 
 ;suhosin.executor.func.blacklist = 
+;
 
+; suhosin.executor.eval.whitelist
+; -------------------------------
+; * Type: String
+; * Default:
+; 
 ; Comma separated whitelist of functions that are allowed to be called from
-; within eval(). If the whitelist is empty the blacklist is evaluated,
-; otherwise calling a function not in the whitelist will terminate the script
-; and get logged.
+; within eval(). If the whitelist is empty the blacklist is evaluated, otherwise
+; calling a function not in the whitelist will terminate the script and get
+; logged. Please read the instructions carefully.
+; 
 ;suhosin.executor.eval.whitelist = 
+;
 
+; suhosin.executor.eval.blacklist
+; -------------------------------
+; * Type: String
+; * Default:
+; 
 ; Comma separated blacklist of functions that are not allowed to be called from
 ; within eval(). If no whitelist is given, calling a function within the
-; blacklist will terminate the script and get logged.
+; blacklist will terminate the script and get logged. Please read the
+; instructions carefully.
+; 
 ;suhosin.executor.eval.blacklist = 
+;
 
-; eval() is a very dangerous statement and therefore you might want to disable
-; it completely. Deactivating it will however break lots of scripts. Because
-; every violation is logged, this allows finding all places where eval() is
-; used.
+; suhosin.executor.disable_eval
+; -----------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; eval() is a very dangerous statement and therefore you might want to disable it
+; completely. Deactivating it will however break lots of scripts. Because every
+; violation is logged, this allows finding all places where eval() is used.
+; 
 ;suhosin.executor.disable_eval = Off
+;
 
+; suhosin.executor.disable_emodifier
+; ----------------------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; The /e modifier inside preg_replace() allows code execution. Often it is the
-; cause for remote code execution exploits. It is wise to deactivate this
-; feature and test where in the application it is used. The developer using the
-; /e modifier should be made aware that he should use preg_replace_callback()
+; cause for remote code execution exploits. It is wise to deactivate this feature
+; and test where in the application it is used. The developer using the /e
+; modifier should be made aware that he should use preg_replace_callback()
 ; instead.
+; 
 ;suhosin.executor.disable_emodifier = Off
+;
 
-; This flag reactivates symlink() when open_basedir is used, which is disabled
-; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
-; is actually a security risk. 
-;suhosin.executor.allow_symlink = Off
-
-; -----------------------------------------------------------------------------
+; ============
 ; Misc Options
+; ============
 
+; suhosin.executor.allow_symlink
+; ------------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; This flag reactivates symlink() when open_basedir is used, which is disabled by
+; default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used is
+; actually a security risk.
+; 
+;suhosin.executor.allow_symlink = Off
+;
+
+; suhosin.simulation
+; ------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; If you fear that Suhosin breaks your application, you can activate Suhosin's
 ; simulation mode with this flag. When Suhosin runs in simulation mode,
 ; violations are logged as usual, but nothing is blocked or removed from the
-; request. (Transparent features are NOT deactivated in simulation mode.)
-; (since v0.9.30 affects (dis)allowed functions)
+; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
+; 
 ;suhosin.simulation = Off
+;
+
+; suhosin.perdir
+; --------------
+; * Type: String
+; * Default: "0"
+; 
+; Allow certain categories of config directives to be changed by .htaccess for
+; each directory individually. Possible values are "l" (log), "e" (exec), "g"
+; (get), "c" (cookie), "p" (post), "r" (request), "s" (sql), "u" (upload), "m"
+; (misc) or any combination, e.g. "legcprsum" to allow everything. Both "0" and
+; no value disable this feature.
+; 
+;suhosin.perdir = "0"
+;
 
+; suhosin.protectkey
+; ------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Prevent Suhosin's secret key material (suhosin.cookie.cryptkey,
+; suhosin.session.cryptkey, suhosin.rand.seedingkey) from being exposed by
+; phpinfo().
+; 
+;suhosin.protectkey = On
+;
+
+; suhosin.coredump
+; ----------------
+; * Type: Boolean
+; * Default: Off
+; 
+; Controls if suhosin coredumps when the optional suhosin patch detects a buffer
+; overflow, memory corruption or double free. This is only for debugging purposes
+; and should not be activated.
+; 
+;suhosin.coredump = Off
+;
+
+; suhosin.stealth
+; ---------------
+; * Type: Boolean
+; * Default: On
+; 
+; controls if suhosin loads in stealth mode when it is not the only
+; zend_extension (Required for full compatibility with certain encoders that
+; consider open source untrusted. e.g. ionCube, Zend)
+; 
+;suhosin.stealth = On
+;
+
+; suhosin.apc_bug_workaround
+; --------------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
 ; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
 ; will overwrite the information Suhosin stores in this slot. When this flag is
 ; set Suhosin will request 2 Slots and use the second one. This allows working
 ; correctly with these buggy APC versions.
+; 
 ;suhosin.apc_bug_workaround = Off
+;
 
-; When a SQL Query fails scripts often spit out a bunch of useful information
-; for possible attackers. When this configuration directive is turned on, the
-; script will silently terminate, after the problem has been logged. (This is
-; not yet supported)
-;suhosin.sql.bailout_on_error = Off
-
-; This is an experimental feature for shared environments. With this
-; configuration option it is possible to specify a prefix that is automatically
-; prepended to the database username, whenever a database connection is made.
-; (Unless the username starts with the prefix)
-;suhosin.sql.user_prefix = 
-
-; This is an experimental feature for shared environments. With this
-; configuration option it is possible to specify a postfix that is
-; automatically appended to the database username, whenever a database
-; connection is made. (Unless the username end with the postfix)
+; suhosin.disable.display_errors
+; ------------------------------
+; * Type: String
+; * Default: 0
+; 
+; Prevent PHP from setting display_errors programmatically. "0" means off. Any
+; one of "1", "on", "yes", "true" means on. "fail" or "2" (or greater values)
+; will let PHP know that the value change failed.
+; 
+;suhosin.disable.display_errors = 0
 ;
-; With this feature it is possible for shared hosters to disallow customers to
-; connect with the usernames of other customers. This feature is experimental,
-; because support for PDO and PostgreSQL are not yet implemented. 
-;suhosin.sql.user_postfix = 
 
+; suhosin.multiheader
+; -------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; This directive controls if multiple headers are allowed or not in a header()
-; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
-; multiple lines are still allowed).
+; call. By default the Suhosin forbids this. (HTTP headers spanning multiple
+; lines are still allowed).
+; 
 ;suhosin.multiheader = Off
+;
 
-; This directive controls if the mail() header protection is activated or not
-; and to what degree it is activated. The appended table lists the possible
+; suhosin.mail.protect
+; --------------------
+; * Type: Integer
+; * Default: 0
+; 
+; This directive controls if the mail() header protection is activated or not and
+; to what degree it is activated. The appended table lists the possible
 ; activation levels.
-suhosin.mail.protect = 1
+; 
+; +-------+--------------------------------------------------------------------+
+; | Value | Description                                                        |
+; +=======+====================================================================+
+; | 0     | mail() header protection is disabled                               |
+; +-------+--------------------------------------------------------------------+
+; | 1     | Disallows newlines in Subject:, To: headers and double newlines in |
+; |       | additional headers                                                 |
+; +-------+--------------------------------------------------------------------+
+; | 2     | Additionally disallows To:, CC:, BCC: in additional headers        |
+; +-------+--------------------------------------------------------------------+
+; 
+; Logging of this class of alerts is controlled by the new S_MAIL constant.
+; 
+;suhosin.mail.protect = 0
+;
 
+; ========================
+; SQL Injection Protection
+; ========================
+
+; suhosin.memory_limit
+; --------------------
+; * Type: Integer
+; * Default: 0
+; 
 ; As long scripts are not running within safe_mode they are free to change the
 ; memory_limit to whatever value they want. Suhosin changes this fact and
 ; disallows setting the memory_limit to a value greater than the one the script
-; started with, when this option is left at 0. A value greater than 0 means
-; that Suhosin will disallows scripts setting the memory_limit to a value above
-; this configured hard limit. This is for example usefull if you want to run
-; the script normaly with a limit of 16M but image processing scripts may raise
-; it to 20M.
+; started with, when this option is left at 0. A value greater than 0 means that
+; Suhosin will disallow scripts setting the memory_limit to a value above this
+; configured hard limit. This is for example useful if you want to run the script
+; normally with a limit of 16M but image processing scripts may raise it to 20M.
+; 
+; 
+; 
+; This class of features is experimental and still in development. As of Suhosin
+; version 0.9.36 only preliminary MySQL support was added.
+; 
 ;suhosin.memory_limit = 0
+;
 
-; -----------------------------------------------------------------------------
-; Randomness Options
+; suhosin.sql.bailout_on_error
+; ----------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; (Planned feature. This is not yet supported.) When an SQL Query fails scripts
+; often spit out a bunch of useful information for possible attackers. When this
+; configuration directive is turned on, the script will silently terminate, after
+; the problem has been logged.
+; 
+;suhosin.sql.bailout_on_error = Off
+;
 
-; Flag that controls if calls to srand() are ignored in favour of suhosin's 
-; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding
-;suhosin.srand.ignore = On
+; suhosin.sql.user_prefix
+; -----------------------
+; * Type: String
+; * Default:
+; 
+; This is an experimental feature for shared environments. With this
+; configuration option it is possible to specify a prefix that is automatically
+; prepended to the database username, whenever a database connection is made.
+; (Unless the username starts with the prefix)
+; 
+; With this feature it is possible for shared hosters to disallow customers to
+; connect with the usernames of other customers. This feature is experimental,
+; because support for PDO and PostgreSQL are not yet implemented.
+; 
+;suhosin.sql.user_prefix = 
+;
 
-; Flag that controls if calls to mt_srand() are ignored in favour of suhosin's 
-; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding
-;suhosin.mt_srand.ignore = On
+; suhosin.sql.user_postfix
+; ------------------------
+; * Type: String
+; * Default:
+; 
+; This is an experimental feature for shared environments. With this
+; configuration option it is possible to specify a postfix that is automatically
+; appended to the database username, whenever a database connection is made.
+; (Unless the username end with the postfix)
+; 
+; With this feature it is possible for shared hosters to disallow customers to
+; connect with the usernames of other customers. This feature is experimental,
+; because support for PDO and PostgreSQL are not yet implemented.
+; 
+;suhosin.sql.user_postfix = 
+;
 
-; Server configuration can add a string into the entropy generation to further
-; improve the entropy used for reseeding rand()/mt_rand()
-;suhosin.rand.seedingkey = 
+; suhosin.sql.comment
+; -------------------
+; * Type: Integer
+; * Default: 0
+; 
+; This is an experimental feature. Alert if an SQL query contains one or more
+; comments starting with --, /* or #. A value of 1 logs the alert; 2 or greater
+; let the call fail.
+; 
+; Note: Mysql conditional statements starting with ``/*!`` are exempt if used
+; with Mysqli.
+; 
+;suhosin.sql.comment = 0
+;
 
-; Controls if automatic reseeding of rand() / mt_rand() is done for every
-; new request. Will improve security but decrease performance.
-; suhosin.rand.reseed_every_request = Off
+; suhosin.sql.opencomment
+; -----------------------
+; * Type: Integer
+; * Default: 0
+; 
+; This is an experimental feature.
+; Alert if a MySQL comment was started but not closed: ``/*`` without ``*/``. A
+; value of 1 logs the alert; 2 or greater let the call fail.
+; 
+;suhosin.sql.opencomment = 0
+;
+
+; suhosin.sql.multiselect
+; -----------------------
+; * Type: Integer
+; * Default: 0
+; 
+; This is an experimental feature.
+; Alert if an SQL query contains more than one SELECT statement. A value of 1
+; logs the alert; 2 or greater let the call fail.
+; 
+; Note: This flag will recognise multiple statements as well as subselects, e.g.
+; "SELECT 1; SELECT 2" and "SELECT * FROM (SELECT 1)".
+; 
+;suhosin.sql.multiselect = 0
+;
 
-; -----------------------------------------------------------------------------
+; ==============================
 ; Transparent Encryption Options
+; ==============================
 
+; suhosin.sql.union
+; -----------------
+; * Type: Integer
+; * Default: 0
+; 
+; This is an experimental feature.
+; Alert if an SQL query contains one or more UNIONs.
+; A value of 1 logs the alert; 2 or greater let the call fail.
+; 
+;suhosin.sql.union = 0
+;
+
+; suhosin.session.encrypt
+; -----------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; Flag that decides if the transparent session encryption is activated or not.
+; 
 ;suhosin.session.encrypt = On
+;
 
+; suhosin.session.cryptkey
+; ------------------------
+; * Type: String
+; * Default:
+; 
 ; Session data can be encrypted transparently. The encryption key used consists
 ; of this user defined string (which can be altered by a script via ini_set())
-; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
+; and optionally the User-Agent, the Document-Root and 0-4 octects of the
 ; REMOTE_ADDR.
+; 
 ;suhosin.session.cryptkey = 
+;
 
+; suhosin.session.cryptua
+; -----------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; Flag that decides if the transparent session encryption key depends on the
-; User-Agent field. (When activated this feature transparently adds a little
-; bit protection against session fixation/hijacking attacks)
-;suhosin.session.cryptua = On
+; User-Agent field. (When activated this feature transparently adds a little bit
+; protection against session fixation/hijacking attacks)
+; 
+;suhosin.session.cryptua = Off
+;
 
+; suhosin.session.cryptdocroot
+; ----------------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; Flag that decides if the transparent session encryption key depends on the
 ; Documentroot field.
+; 
 ;suhosin.session.cryptdocroot = On
+;
 
+; suhosin.session.cryptraddr
+; --------------------------
+; * Type: Integer
+; * Default: 0
+; 
 ; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
 ; encryption key depends on. Keep in mind that this should not be used on sites
-; that have visitors from big ISPs, because their IP address often changes
-; during a session. But this feature might be interesting for admin interfaces
-; or intranets. When used wisely this is a transparent protection against
-; session hijacking/fixation. 
+; that have visitors from big ISPs, because their IP address often changes during
+; a session. But this feature might be interesting for admin interfaces or
+; intranets. When used wisely this is a transparent protection against session
+; hijacking/fixation. This feature supports IPv4 only.
+; 
 ;suhosin.session.cryptraddr = 0
+;
 
+; suhosin.session.checkraddr
+; --------------------------
+; * Type: Integer
+; * Default: 0
+; 
 ; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
 ; session. The difference to suhosin.session.cryptaddr is, that the IP is not
-; part of the encryption key, so that the same session can be used for
-; different areas with different protection levels on the site.
+; part of the encryption key, so that the same session can be used for different
+; areas with different protection levels on the site. This feature supports IPv4
+; only.
+; 
 ;suhosin.session.checkraddr = 0
+;
 
+; suhosin.cookie.encrypt
+; ----------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; Flag that decides if the transparent cookie encryption is activated or not.
-;suhosin.cookie.encrypt = 0
+; 
+;suhosin.cookie.encrypt = Off
+;
 
+; suhosin.cookie.cryptkey
+; -----------------------
+; * Type: String
+; * Default:
+; 
 ; Cookies can be encrypted transparently. The encryption key used consists of
 ; this user defined string and optionally the User-Agent, the Document-Root and
-; 0-4 Octects of the REMOTE_ADDR.
+; 0-4 octects of the REMOTE_ADDR.
+; 
 ;suhosin.cookie.cryptkey = 
+;
 
+; suhosin.cookie.cryptua
+; ----------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; Flag that decides if the transparent session encryption key depends on the
-; User-Agent field. (When activated this feature transparently adds a little
-; bit protection against session fixation/hijacking attacks (if only session
-; cookies are allowed))
+; User-Agent field. (When activated this feature transparently adds a little bit
+; protection against session fixation/hijacking attacks (if only session cookies
+; are allowed))
+; 
 ;suhosin.cookie.cryptua = On
+;
 
+; suhosin.cookie.cryptdocroot
+; ---------------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; Flag that decides if the transparent cookie encryption key depends on the
 ; Documentroot field.
+; 
 ;suhosin.cookie.cryptdocroot = On
+;
 
+; suhosin.cookie.cryptraddr
+; -------------------------
+; * Type: Integer
+; * Default: 0
+; 
 ; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
 ; encryption key depends on. Keep in mind that this should not be used on sites
-; that have visitors from big ISPs, because their IP address often changes
-; during a session. But this feature might be interesting for admin interfaces
-; or intranets. When used wisely this is a transparent protection against
-; session hijacking/fixation.
+; that have visitors from big ISPs, because their IP address often changes during
+; a session. But this feature might be interesting for admin interfaces or
+; intranets. When used wisely this is a transparent protection against session
+; hijacking/fixation. This feature supports IPv4 only.
+; 
 ;suhosin.cookie.cryptraddr = 0
+;
 
+; suhosin.cookie.checkraddr
+; -------------------------
+; * Type: Integer
+; * Default: 0
+; 
 ; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
-; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
-; part of the encryption key, so that the same cookie can be used for different
-; areas with different protection levels on the site.
+; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not part
+; of the encryption key, so that the same cookie can be used for different areas
+; with different protection levels on the site. This feature supports IPv4 only.
+; 
 ;suhosin.cookie.checkraddr = 0
+;
 
-; In case not all cookies are supposed to get encrypted this is a comma
-; separated list of cookie names that should get encrypted. All other cookies
-; will not get touched.
+; suhosin.cookie.cryptlist
+; ------------------------
+; * Type: String
+; * Default:
+; 
+; In case not all cookies are supposed to get encrypted this is a comma separated
+; list of cookie names that should get encrypted. All other cookies will not get
+; touched.
+; 
 ;suhosin.cookie.cryptlist = 
+;
+
+; =================
+; Filtering Options
+; =================
 
-; In case some cookies should not be crypted this is a comma separated list of
+; suhosin.cookie.plainlist
+; ------------------------
+; * Type: String
+; * Default:
+; 
+; In case some cookies should not be encrypted this is a comma separated list of
 ; cookies that do not get encrypted. All other cookies will be encrypted.
+; 
 ;suhosin.cookie.plainlist = 
+;
 
-; -----------------------------------------------------------------------------
-; Filtering Options
-
-; Defines the reaction of Suhosin on a filter violation.
+; suhosin.filter.action
+; ---------------------
+; * Type: Mixed
+; * Default:
+; 
+; Defines the reaction of Suhosin on a filter violation. Following possible
+; actions are supported
+; 
+; +-------------------------------+--------------------------------------------+
+; | Type                          | Description                                |
+; +===============================+============================================+
+; |                               | Normal action is simply blocking the       |
+; |                               | variable from being registered             |
+; +-------------------------------+--------------------------------------------+
+; | 402                           | Do not execute the script and return a     |
+; |                               | HTTP 402 response code                     |
+; +-------------------------------+--------------------------------------------+
+; | [302,]http://www.example.com  | Redirect to http://www.example.com instead |
+; |                               | of executing. Optionally set a specific    |
+; |                               | HTTP response code                         |
+; +-------------------------------+--------------------------------------------+
+; | [402,]/var/scripts/badguy.php | Execute a specific PHP script instead of   |
+; |                               | the requested script. Optionally set a     |
+; |                               | specific HTTP response code                |
+; +-------------------------------+--------------------------------------------+
+; 
 ;suhosin.filter.action = 
+;
 
+; suhosin.cookie.max_array_depth
+; ------------------------------
+; * Type: Integer
+; * Default: 50
+; 
 ; Defines the maximum depth an array variable may have, when registered through
 ; the COOKIE.
+; 
+; Note: Array depth is not the number of elements within an array.
+; 
 ;suhosin.cookie.max_array_depth = 50
+;
 
+; suhosin.cookie.max_array_index_length
+; -------------------------------------
+; * Type: Integer
+; * Default: 64
+; 
 ; Defines the maximum length of array indices for variables registered through
 ; the COOKIE.
+; 
 ;suhosin.cookie.max_array_index_length = 64
+;
 
+; suhosin.cookie.max_name_length
+; ------------------------------
+; * Type: Integer
+; * Default: 64
+; 
 ; Defines the maximum length of variable names for variables registered through
 ; the COOKIE. For array variables this is the name in front of the indices.
+; 
 ;suhosin.cookie.max_name_length = 64
+;
 
+; suhosin.cookie.max_totalname_length
+; -----------------------------------
+; * Type: Integer
+; * Default: 256
+; 
 ; Defines the maximum length of the total variable name when registered through
 ; the COOKIE. For array variables this includes all indices.
+; 
 ;suhosin.cookie.max_totalname_length = 256
+;
 
-; Defines the maximum length of a variable that is registered through the
-; COOKIE.
+; suhosin.cookie.max_value_length
+; -------------------------------
+; * Type: Integer
+; * Default: 10000
+; 
+; Defines the maximum length of a variable that is registered through the COOKIE.
+; 
 ;suhosin.cookie.max_value_length = 10000
+;
 
+; suhosin.cookie.max_vars
+; -----------------------
+; * Type: Integer
+; * Default: 100
+; 
 ; Defines the maximum number of variables that may be registered through the
 ; COOKIE.
+; 
 ;suhosin.cookie.max_vars = 100
+;
 
+; suhosin.cookie.disallow_nul
+; ---------------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-;suhosin.cookie.disallow_nul = 1
+; 
+;suhosin.cookie.disallow_nul = On
+;
 
+; suhosin.cookie.disallow_ws
+; --------------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Ignore cookies with names starting with whitespace.
+; 
+;suhosin.cookie.disallow_ws = On
+;
+
+; suhosin.get.max_array_depth
+; ---------------------------
+; * Type: Integer
+; * Default: 50
+; 
 ; Defines the maximum depth an array variable may have, when registered through
-; the URL
+; the URL.
+; 
+; Note: Array depth is not the number of elements within an array.
+; 
 ;suhosin.get.max_array_depth = 50
+;
 
+; suhosin.get.max_array_index_length
+; ----------------------------------
+; * Type: Integer
+; * Default: 64
+; 
 ; Defines the maximum length of array indices for variables registered through
-; the URL
+; the URL.
+; 
 ;suhosin.get.max_array_index_length = 64
+;
 
+; suhosin.get.max_name_length
+; ---------------------------
+; * Type: Integer
+; * Default: 64
+; 
 ; Defines the maximum length of variable names for variables registered through
 ; the URL. For array variables this is the name in front of the indices.
+; 
 ;suhosin.get.max_name_length = 64
+;
 
+; suhosin.get.max_totalname_length
+; --------------------------------
+; * Type: Integer
+; * Default: 256
+; 
 ; Defines the maximum length of the total variable name when registered through
 ; the URL. For array variables this includes all indices.
+; 
 ;suhosin.get.max_totalname_length = 256
+;
 
+; suhosin.get.max_value_length
+; ----------------------------
+; * Type: Integer
+; * Default: 512
+; 
 ; Defines the maximum length of a variable that is registered through the URL.
+; 
 ;suhosin.get.max_value_length = 512
+;
 
-; Defines the maximum number of variables that may be registered through the
-; URL.
+; suhosin.get.max_vars
+; --------------------
+; * Type: Integer
+; * Default: 100
+; 
+; Defines the maximum number of variables that may be registered through the URL.
+; 
 ;suhosin.get.max_vars = 100
+;
 
+; suhosin.get.disallow_nul
+; ------------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-;suhosin.get.disallow_nul = 1
+; 
+;suhosin.get.disallow_nul = On
+;
 
-; Defines the maximum depth an array variable may have, when registered through
-; a POST request.
+; suhosin.get.disallow_ws
+; -----------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; Ignore GET parameters with names starting with whitespace.
+; 
+;suhosin.get.disallow_ws = Off
+;
+
+; suhosin.post.max_array_depth
+; ----------------------------
+; * Type: Integer
+; * Default: 50
+; 
+; Defines the maximum depth an array variable may have, when registered through a
+; POST request.
+; 
+; Note: Array depth is not the number of elements within an array.
+; 
 ;suhosin.post.max_array_depth = 50
+;
 
-; Defines the maximum length of array indices for variables registered through
-; a POST request.
+; suhosin.post.max_array_index_length
+; -----------------------------------
+; * Type: Integer
+; * Default: 64
+; 
+; Defines the maximum length of array indices for variables registered through a
+; POST request.
+; 
 ;suhosin.post.max_array_index_length = 64
+;
 
-; Defines the maximum length of variable names for variables registered through
-; a POST request. For array variables this is the name in front of the indices.
+; suhosin.post.max_name_length
+; ----------------------------
+; * Type: Integer
+; * Default: 64
+; 
+; Defines the maximum length of variable names for variables registered through a
+; POST request. For array variables this is the name in front of the indices.
+; 
 ;suhosin.post.max_name_length = 64
+;
 
-; Defines the maximum length of the total variable name when registered through
-; a POST request. For array variables this includes all indices.
+; suhosin.post.max_totalname_length
+; ---------------------------------
+; * Type: Integer
+; * Default: 256
+; 
+; Defines the maximum length of the total variable name when registered through a
+; POST request. For array variables this includes all indices.
+; 
 ;suhosin.post.max_totalname_length = 256
+;
 
+; suhosin.post.max_value_length
+; -----------------------------
+; * Type: Integer
+; * Default: 1000000
+; 
 ; Defines the maximum length of a variable that is registered through a POST
 ; request.
+; 
 ;suhosin.post.max_value_length = 1000000
+;
 
+; suhosin.post.max_vars
+; ---------------------
+; * Type: Integer
+; * Default: 1000
+; 
 ; Defines the maximum number of variables that may be registered through a POST
 ; request.
+; 
 ;suhosin.post.max_vars = 1000
+;
 
+; suhosin.post.disallow_nul
+; -------------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-;suhosin.post.disallow_nul = 1
+; 
+;suhosin.post.disallow_nul = On
+;
+
+; suhosin.post.disallow_ws
+; ------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; Ignore POST parameters with names starting with whitespace.
+; 
+;suhosin.post.disallow_ws = Off
+;
 
+; suhosin.request.max_array_depth
+; -------------------------------
+; * Type: Integer
+; * Default: 50
+; 
 ; Defines the maximum depth an array variable may have, when registered through
-; GET , POST or COOKIE. This setting is also an upper limit for the separate
-; GET, POST, COOKIE configuration directives.
+; GET , POST or COOKIE. This setting is also an upper limit for the separate GET,
+; POST, COOKIE configuration directives.
+; 
+; Note: Array depth is not the number of elements within an array.
+; 
 ;suhosin.request.max_array_depth = 50
+;
 
+; suhosin.request.max_array_index_length
+; --------------------------------------
+; * Type: Integer
+; * Default: 64
+; 
 ; Defines the maximum length of array indices for variables registered through
-; GET, POST or COOKIE. This setting is also an upper limit for the separate
-; GET, POST, COOKIE configuration directives.
+; GET, POST or COOKIE. This setting is also an upper limit for the separate GET,
+; POST, COOKIE configuration directives.
+; 
 ;suhosin.request.max_array_index_length = 64
+;
 
+; suhosin.request.max_totalname_length
+; ------------------------------------
+; * Type: Integer
+; * Default: 256
+; 
 ; Defines the maximum length of variable names for variables registered through
 ; the COOKIE, the URL or through a POST request. This is the complete name
-; string, including all indicies. This setting is also an upper limit for the
+; string, including all indices. This setting is also an upper limit for the
 ; separate GET, POST, COOKIE configuration directives.
+; 
 ;suhosin.request.max_totalname_length = 256
+;
 
-; Defines the maximum length of a variable that is registered through the
-; COOKIE, the URL or through a POST request. This setting is also an upper
-; limit for the variable origin specific configuration directives.
+; suhosin.request.max_value_length
+; --------------------------------
+; * Type: Integer
+; * Default: 1000000
+; 
+; Defines the maximum length of a variable that is registered through the COOKIE,
+; the URL or through a POST request. This setting is also an upper limit for the
+; variable origin specific configuration directives.
+; 
 ;suhosin.request.max_value_length = 1000000
+;
 
+; suhosin.request.max_vars
+; ------------------------
+; * Type: Integer
+; * Default: 1000
+; 
 ; Defines the maximum number of variables that may be registered through the
-; COOKIE, the URL or through a POST request. This setting is also an upper
-; limit for the variable origin specific configuration directives.
+; COOKIE, the URL or through a POST request. This setting is also an upper limit
+; for the variable origin specific configuration directives.
+; 
 ;suhosin.request.max_vars = 1000
+;
 
-; Defines the maximum name length (excluding possible array indicies) of
-; variables that may be registered through the COOKIE, the URL or through a
-; POST request. This setting is also an upper limit for the variable origin
-; specific configuration directives.
+; suhosin.request.max_varname_length
+; ----------------------------------
+; * Type: Integer
+; * Default: 64
+; 
+; Defines the maximum name length (excluding possible array indices) of variables
+; that may be registered through the COOKIE, the URL or through a POST request.
+; This setting is also an upper limit for the variable origin specific
+; configuration directives.
+; 
 ;suhosin.request.max_varname_length = 64
+;
 
+; suhosin.request.disallow_nul
+; ----------------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; When set to On ASCIIZ chars are not allowed in variables.
-;suhosin.request.disallow_nul = 1
-
-; When set to On the dangerous characters <>"'` are urlencoded when found
-; not encoded in the server variables REQUEST_URI and QUERY_STRING. This
-; will protect against some XSS vulnerabilities.
-;suhosin.server.encode = 1
+; 
+;suhosin.request.disallow_nul = On
+;
 
-; When set to On the dangerous characters <>"'` are replaced with ? in
-; the server variables PHP_SELF, PATH_TRANSLATED and PATH_INFO. This will
-; protect against some XSS vulnerabilities.
-;suhosin.server.strip = 1
+; suhosin.request.disallow_ws
+; ---------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; Ignore all variables with names starting with whitespace.
+; 
+;suhosin.request.disallow_ws = Off
+;
 
+; suhosin.upload.max_uploads
+; --------------------------
+; * Type: Integer
+; * Default: 25
+; 
 ; Defines the maximum number of files that may be uploaded with one request.
+; 
 ;suhosin.upload.max_uploads = 25
+;
 
+; suhosin.upload.disallow_elf
+; ---------------------------
+; * Type: Boolean
+; * Default: On
+; 
 ; When set to On it is not possible to upload ELF executables.
-;suhosin.upload.disallow_elf = 1
+; 
+;suhosin.upload.disallow_elf = On
+;
 
+; suhosin.upload.disallow_binary
+; ------------------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; When set to On it is not possible to upload binary files.
-;suhosin.upload.disallow_binary = 0
+; 
+;suhosin.upload.disallow_binary = Off
+;
 
+; suhosin.upload.remove_binary
+; ----------------------------
+; * Type: Boolean
+; * Default: Off
+; 
 ; When set to On binary content is removed from the uploaded files.
-;suhosin.upload.remove_binary = 0
+; 
+;suhosin.upload.remove_binary = Off
+;
 
+; suhosin.upload.verification_script
+; ----------------------------------
+; * Type: String
+; * Default:
+; 
 ; This defines the full path to a verification script for uploaded files. The
-; script gets the temporary filename supplied and has to decide if the upload
-; is allowed. A possible application for this is to scan uploaded files for
-; viruses. The called script has to write a 1 as first line to standard output
-; to allow the upload. Any other value or no output at all will result in the
-; file being deleted.
+; script gets the temporary filename supplied and has to decide if the upload is
+; allowed. A possible application for this is to scan uploaded files for viruses.
+; The called script has to write a 1 as first line to standard output to allow
+; the upload. Any other value or no output at all will result in the file being
+; deleted.
+; 
 ;suhosin.upload.verification_script = 
+;
 
-; Specifies the maximum length of the session identifier that is allowed. When
-; a longer session identifier is passed a new session identifier will be
-; created. This feature is important to fight bufferoverflows in 3rd party
-; session handlers.
+; suhosin.session.max_id_length
+; -----------------------------
+; * Type: Integer
+; * Default: 128
+; 
+; Specifies the maximum length of the session identifier that is allowed. When a
+; longer session identifier is passed a new session identifier will be created.
+; This feature is important to fight buffer overflows in 3rd party session
+; handlers.
+; 
 ;suhosin.session.max_id_length = 128
+;
 
-; Undocumented: Controls if suhosin coredumps when the optional suhosin patch 
-; detects a bufferoverflow, memory corruption or double free. This is only
-; for debugging purposes and should not be activated.
-;suhosin.coredump = Off
+; suhosin.server.encode
+; ---------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Encode potentially dangerous characters in REQUEST_URI and QUERY_STRING with
+; URL encoding.
+; 
+;suhosin.server.encode = On
+;
 
-; Undocumented: Controls if the encryption keys specified by the configuration
-; are shown in the phpinfo() output or if they are hidden from it
-;suhosin.protectkey = 1
+; suhosin.server.strip
+; --------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Replace potentially dangerous characters in PHP_SELF, PATH_INFO,
+; PATH_TRANSLATED and HTTP_USER_AGENT with '?'.
+; 
+;suhosin.server.strip = On
+;
 
-; Controls if suhosin loads in stealth mode when it is not the only
-; zend_extension (Required for full compatibility with certain encoders 
-;  that consider open source untrusted. e.g. ionCube, Zend)
-;suhosin.stealth = 1
+; suhosin.rand.seedingkey
+; -----------------------
+; * Type: String
+; * Default:
+; 
+; This string is added to the entropy pool for seeding the random number
+; generator.
+; 
+;suhosin.rand.seedingkey = 
+;
+
+; suhosin.rand.reseed_every_request
+; ---------------------------------
+; * Type: Boolean
+; * Default: Off
+; 
+; Controls if automatic reseeding of rand() / mt_rand() is done for every new
+; request. Will improve security but decrease performance. In case the system's
+; entry pool is exhausted, this flag may either significantly increase execution
+; time or otherwise use less entropy (which is bad).
+; 
+;suhosin.rand.reseed_every_request = Off
+;
+
+; suhosin.srand.ignore
+; --------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Flag that controls if calls to srand() are ignored in favour of Suhosin's own
+; enhanced seeding - since 0.9.36 calls will trigger auto-reseeding.
+; 
+;suhosin.srand.ignore = On
+;
+
+; suhosin.mt_srand.ignore
+; -----------------------
+; * Type: Boolean
+; * Default: On
+; 
+; Flag that controls if calls to mt_srand() are ignored in favour of Suhosin's
+; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding.
+; 
+;suhosin.mt_srand.ignore = On
+;
 
-; Controls if suhosin's ini directives are changeable per directory
-; because the admin might want to allow some features to be controlable
-; by .htaccess and some not. For example the logging capabilities can
-; break safemode and open_basedir restrictions when .htaccess support is
-; allowed and the admin forgot to fix their values in httpd.conf
-; An empty value or a 0 will result in all directives not allowed in
-; .htaccess. The string "legcprsum" will allow logging, execution, get, 
-; post, cookie, request, sql, upload, misc features in .htaccess
-;suhosin.perdir = "0"