From 765706eb5a01756542faf5609b303927bd6f43dc Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Mon, 2 May 2016 19:08:38 +0200 Subject: added ini section [suhosin] --- suhosin.ini | 608 +++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 359 insertions(+), 249 deletions(-) diff --git a/suhosin.ini b/suhosin.ini index 711baf6..eaf566b 100644 --- a/suhosin.ini +++ b/suhosin.ini @@ -1,12 +1,13 @@ - ;extension=suhosin.so - +[suhosin] +; ; ===================== ; Logging Configuration ; ===================== - +; ; suhosin.log.syslog ; ------------------ +; ; * Type: Integer ; * Default: S_ALL & ~S_SQL ; @@ -49,12 +50,13 @@ ; ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use ; the numeric value, e.g. `suhosin.log.syslog=511`. -; +; ;suhosin.log.syslog = S_ALL & ~S_SQL ; - +; ; suhosin.log.syslog.facility ; --------------------------- +; ; * Type: Integer ; * Default: LOG_USER ; @@ -104,12 +106,13 @@ ; +--------------+-------+ ; | LOG_LOCAL7 | 31 | ; +--------------+-------+ -; +; ;suhosin.log.syslog.facility = LOG_USER ; - +; ; suhosin.log.syslog.priority ; --------------------------- +; ; * Type: Integer ; * Default: LOG_ALERT ; @@ -137,12 +140,13 @@ ; +------------+-------+ ; |LOG_ERR | 7 | ; +------------+-------+ -; +; ;suhosin.log.syslog.priority = LOG_ALERT ; - +; ; suhosin.log.sapi ; ---------------- +; ; * Type: Integer ; * Default: 0 ; @@ -151,12 +155,13 @@ ; ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use ; the numeric value. -; +; ;suhosin.log.sapi = 0 ; - +; ; suhosin.log.stdout ; ------------------ +; ; * Type: Integer ; * Default: 0 ; @@ -166,14 +171,15 @@ ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use ; the numeric value. ; -; IMPORTANT NOTE: This option is meant for debugging purposes and unittests only -; and should not be used in production. -; +; **IMPORTANT NOTE**: This option is meant for debugging purposes and unittests +; only and should not be used in production. +; ;suhosin.log.stdout = 0 ; - +; ; suhosin.log.file ; ---------------- +; ; * Type: Integer ; * Default: 0 ; @@ -182,35 +188,38 @@ ; ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use ; the numeric value. -; +; ;suhosin.log.file = 0 ; - +; ; suhosin.log.file.name ; --------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Defines the full path to a dedicated Suhosin log file. -; +; ;suhosin.log.file.name = ; - +; ; suhosin.log.file.time ; --------------------- +; ; * Type: Boolean ; * Default: On ; ; Specifies if suhosin.log.file contains timestamp for each log entry. ; -; IMPORTANT NOTE: This option is meant for debugging purposes and unittests only -; and should not be used in production. -; +; **IMPORTANT NOTE**: This option is meant for debugging purposes and unittests +; only and should not be used in production. +; ;suhosin.log.file.time = On ; - +; ; suhosin.log.script ; ------------------ +; ; * Type: Integer ; * Default: 0 ; @@ -221,26 +230,28 @@ ; ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use ; the numeric value. -; +; ;suhosin.log.script = 0 ; - +; ; suhosin.log.script.name ; ----------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Defines the full path to an external logging script. The script is called with ; 2 parameters. The first one is the alert class in string notation and the ; second parameter is the log message. This can be used for example to mail ; failing MySQL queries to your email address, because on a production system ; these things should never happen (S_SQL not yet supported by Suhosin). -; +; ;suhosin.log.script.name = ; - +; ; suhosin.log.phpscript ; --------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -253,37 +264,40 @@ ; ; Using constant names is only supported with the Suhosin-Patch. If in doubt, use ; the numeric value. -; +; ;suhosin.log.phpscript = 0 ; - +; ; suhosin.log.phpscript.name ; -------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Defines the full path to a PHP logging script. The script is called with 2 ; variables registered in the current scope: SUHOSIN_ERRORCLASS and ; SUHOSIN_ERROR. The first one is the alert class and the second variable is the ; log message. This can be used for example to mail attempted remote URL include ; attacks to your email address. -; +; ;suhosin.log.phpscript.name = ; - +; ; suhosin.log.phpscript.is_safe ; ----------------------------- +; ; * Type: Boolean ; * Default: Off ; ; Disables open_basedir (and safe_mode for older PHP versions < 5.4) when ; executing suhosin.log.phpscript.name. -; +; ;suhosin.log.phpscript.is_safe = Off ; - +; ; suhosin.log.use-x-forwarded-for ; ------------------------------- +; ; * Type: Boolean ; * Default: Off ; @@ -292,16 +306,17 @@ ; variable. With this switch it is possible to change this behavior to read the ; IP from the X-Forwarded-For HTTP header. This is for example necessary when ; your PHP server runs behind a reverse proxy. -; +; ;suhosin.log.use-x-forwarded-for = Off ; - +; ; ================ ; Executor Options ; ================ - +; ; suhosin.executor.max_depth ; -------------------------- +; ; * Type: Integer ; * Default: 750 ; @@ -311,12 +326,13 @@ ; disables this feature. ; ; (Before 0.9.37, the default value was 0.) -; +; ;suhosin.executor.max_depth = 750 ; - +; ; suhosin.executor.include.max_traversal ; -------------------------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -324,14 +340,15 @@ ; attack and stopped. A value of '2' will block '../../etc/passwd', while a value ; of '3' will allow it. Most PHP applications should work flawlessly with values ; '4' or '5'. A value of '0' disables this feature. -; +; ;suhosin.executor.include.max_traversal = 0 ; - +; ; suhosin.executor.include.whitelist ; ---------------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Comma separated whitelist of URL schemes that are allowed to be included from ; include or require statements. Additionally to URL schemes it is possible to @@ -344,25 +361,27 @@ ; * If both suhosin.executor.include.whitelist and ; suhosin.executor.include.blacklist are unset or empty, all URLs will be ; blocked. This is the default. -; +; ;suhosin.executor.include.whitelist = ; - +; ; suhosin.executor.include.blacklist ; ---------------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Comma separated blacklist of URL schemes that are not allowed to be included ; from include or require statements. Additionally to URL schemes it is possible ; to specify the beginning of allowed URLs. (f.e.: php://stdin) If no blacklist ; and no whitelist is specified all URL schemes are forbidden. -; +; ;suhosin.executor.include.blacklist = ; - +; ; suhosin.executor.include.allow_writable_files ; --------------------------------------------- +; ; * Type: Boolean ; * Default: On ; @@ -371,40 +390,43 @@ ; ; Note: Some software such as web-installers or web-based plugin installers won't ; work out of the box with this flag turned off. -; +; ;suhosin.executor.include.allow_writable_files = On ; - +; ; suhosin.executor.func.whitelist ; ------------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Comma separated whitelist of functions that are allowed to be called. If the ; whitelist is empty the blacklist is evaluated, otherwise calling a function not ; in the whitelist will terminate the script and get logged. ; ; Note: This setting deactivates suhosin.executor.func.blacklist. -; +; ;suhosin.executor.func.whitelist = ; - +; ; suhosin.executor.func.blacklist ; ------------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Comma separated blacklist of functions that are not allowed to be called. If no ; whitelist is given, calling a function within the blacklist will terminate the ; script and get logged. -; +; ;suhosin.executor.func.blacklist = ; - +; ; suhosin.executor.eval.whitelist ; ------------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Comma separated whitelist of functions that are allowed to be called from ; within eval(). If the whitelist is empty the blacklist is evaluated, otherwise @@ -412,37 +434,40 @@ ; logged. Please read the instructions carefully. ; ; Note: This setting deactivates suhosin.executor.eval.blacklist. -; +; ;suhosin.executor.eval.whitelist = ; - +; ; suhosin.executor.eval.blacklist ; ------------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Comma separated blacklist of functions that are not allowed to be called from ; within eval(). If no whitelist is given, calling a function within the ; blacklist will terminate the script and get logged. Please read the ; instructions carefully. -; +; ;suhosin.executor.eval.blacklist = ; - +; ; suhosin.executor.disable_eval ; ----------------------------- +; ; * Type: Boolean ; * Default: Off ; ; eval() is a very dangerous statement and therefore you might want to disable it ; completely. Deactivating it will however break lots of scripts. Because every ; violation is logged, this allows finding all places where eval() is used. -; +; ;suhosin.executor.disable_eval = Off ; - +; ; suhosin.executor.disable_emodifier ; ---------------------------------- +; ; * Type: Boolean ; * Default: Off ; @@ -451,28 +476,30 @@ ; and test where in the application it is used. The developer using the /e ; modifier should be made aware that he should use preg_replace_callback() ; instead. -; +; ;suhosin.executor.disable_emodifier = Off ; - +; ; suhosin.executor.allow_symlink ; ------------------------------ +; ; * Type: Boolean ; * Default: Off ; ; This flag reactivates symlink() when open_basedir is used, which is disabled by ; default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used is ; actually a security risk. -; +; ;suhosin.executor.allow_symlink = Off ; - +; ; ============ ; Misc Options ; ============ - +; ; suhosin.simulation ; ------------------ +; ; * Type: Boolean ; * Default: Off ; @@ -480,12 +507,13 @@ ; simulation mode with this flag. When Suhosin runs in simulation mode, ; violations are logged as usual, but nothing is blocked or removed from the ; request. (Transparent Encryptions are NOT deactivated in simulation mode.) -; +; ;suhosin.simulation = Off ; - +; ; suhosin.perdir ; -------------- +; ; * Type: String ; * Default: "0" ; @@ -494,48 +522,52 @@ ; (get), "c" (cookie), "p" (post), "r" (request), "s" (sql), "u" (upload), "m" ; (misc) or any combination, e.g. "legcprsum" to allow everything. Both "0" and ; no value disable this feature. -; +; ;suhosin.perdir = "0" ; - +; ; suhosin.protectkey ; ------------------ +; ; * Type: Boolean ; * Default: On ; ; Prevent Suhosin's secret key material (suhosin.cookie.cryptkey, ; suhosin.session.cryptkey, suhosin.rand.seedingkey) from being exposed by ; phpinfo(). -; +; ;suhosin.protectkey = On ; - +; ; suhosin.coredump ; ---------------- +; ; * Type: Boolean ; * Default: Off ; ; Controls if suhosin coredumps when the optional suhosin patch detects a buffer ; overflow, memory corruption or double free. This is only for debugging purposes ; and should not be activated. -; +; ;suhosin.coredump = Off ; - +; ; suhosin.stealth ; --------------- +; ; * Type: Boolean ; * Default: On ; -; controls if suhosin loads in stealth mode when it is not the only +; Controls if suhosin loads in stealth mode when it is not the only ; zend_extension (Required for full compatibility with certain encoders that ; consider open source untrusted. e.g. ionCube, Zend) -; +; ;suhosin.stealth = On ; - +; ; suhosin.apc_bug_workaround ; -------------------------- +; ; * Type: Boolean ; * Default: Off ; @@ -544,36 +576,39 @@ ; will overwrite the information Suhosin stores in this slot. When this flag is ; set Suhosin will request 2 Slots and use the second one. This allows working ; correctly with these buggy APC versions. -; +; ;suhosin.apc_bug_workaround = Off ; - +; ; suhosin.disable.display_errors ; ------------------------------ +; ; * Type: String ; * Default: 0 ; ; Prevent PHP from setting display_errors programmatically. "0" means off. Any ; one of "1", "on", "yes", "true" means on. "fail" or "2" (or greater values) ; will let PHP know that the value change failed. -; +; ;suhosin.disable.display_errors = 0 ; - +; ; suhosin.multiheader ; ------------------- +; ; * Type: Boolean ; * Default: Off ; ; This directive controls if multiple headers are allowed or not in a header() ; call. By default the Suhosin forbids this. (HTTP headers spanning multiple ; lines are still allowed). -; +; ;suhosin.multiheader = Off ; - +; ; suhosin.mail.protect ; -------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -593,12 +628,13 @@ ; +-------+--------------------------------------------------------------------+ ; ; Logging of this class of alerts is controlled by the new S_MAIL constant. -; +; ;suhosin.mail.protect = 0 ; - +; ; suhosin.memory_limit ; -------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -609,16 +645,19 @@ ; Suhosin will disallow scripts setting the memory_limit to a value above this ; configured hard limit. This is for example useful if you want to run the script ; normally with a limit of 16M but image processing scripts may raise it to 20M. -; +; ;suhosin.memory_limit = 0 ; - +; ; ======================== ; SQL Injection Protection ; ======================== - +; This class of features is experimental and still in development. As of Suhosin +; version 0.9.36 only preliminary MySQL and Mysqli support was added. +; ; suhosin.sql.bailout_on_error ; ---------------------------- +; ; * Type: Boolean ; * Default: Off ; @@ -626,26 +665,28 @@ ; often spit out a bunch of useful information for possible attackers. When this ; configuration directive is turned on, the script will silently terminate, after ; the problem has been logged. -; +; ;suhosin.sql.bailout_on_error = Off ; - +; ; suhosin.sql.user_match ; ---------------------- +; ; * Type: String -; * Default: +; * Default: ; ; (introduced in 0.9.37) The SQL username must match this wildcard pattern or the ; connect function will fail and return FALSE. Example: `suhosin.sql.user_match = ; public_*` -; +; ;suhosin.sql.user_match = ; - +; ; suhosin.sql.user_prefix ; ----------------------- +; ; * Type: String -; * Default: +; * Default: ; ; This is an experimental feature for shared environments. With this ; configuration option it is possible to specify a prefix that is automatically @@ -655,14 +696,15 @@ ; With this feature it is possible for shared hosters to disallow customers to ; connect with the usernames of other customers. This feature is experimental, ; because support for PDO and PostgreSQL are not yet implemented. -; +; ;suhosin.sql.user_prefix = ; - +; ; suhosin.sql.user_postfix ; ------------------------ +; ; * Type: String -; * Default: +; * Default: ; ; This is an experimental feature for shared environments. With this ; configuration option it is possible to specify a postfix that is automatically @@ -672,12 +714,13 @@ ; With this feature it is possible for shared hosters to disallow customers to ; connect with the usernames of other customers. This feature is experimental, ; because support for PDO and PostgreSQL are not yet implemented. -; +; ;suhosin.sql.user_postfix = ; - +; ; suhosin.sql.comment ; ------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -687,24 +730,26 @@ ; ; Note: Mysql conditional statements starting with ``/*!`` are exempt if used ; with Mysqli. -; +; ;suhosin.sql.comment = 0 ; - +; ; suhosin.sql.opencomment ; ----------------------- +; ; * Type: Integer ; * Default: 0 ; ; This is an experimental feature. ; Alert if a MySQL comment was started but not closed: ``/*`` without ``*/``. A ; value of 1 logs the alert; 2 or greater let the call fail. -; +; ;suhosin.sql.opencomment = 0 ; - +; ; suhosin.sql.multiselect ; ----------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -714,74 +759,80 @@ ; ; Note: This flag will recognise multiple statements as well as subselects, e.g. ; "SELECT 1; SELECT 2" and "SELECT * FROM (SELECT 1)". -; +; ;suhosin.sql.multiselect = 0 ; - +; ; suhosin.sql.union ; ----------------- +; ; * Type: Integer ; * Default: 0 ; ; This is an experimental feature. ; Alert if an SQL query contains one or more UNIONs. ; A value of 1 logs the alert; 2 or greater let the call fail. -; +; ;suhosin.sql.union = 0 ; - +; ; ============================== ; Transparent Encryption Options ; ============================== - +; ; suhosin.session.encrypt ; ----------------------- +; ; * Type: Boolean ; * Default: On ; ; Flag that decides if the transparent session encryption is activated or not. -; +; ;suhosin.session.encrypt = On ; - +; ; suhosin.session.cryptkey ; ------------------------ +; ; * Type: String -; * Default: +; * Default: ; ; Session data can be encrypted transparently. The encryption key used consists ; of this user defined string (which can be altered by a script via ini_set()) ; and optionally the User-Agent, the Document-Root and 0-4 octects of the ; REMOTE_ADDR. -; +; ;suhosin.session.cryptkey = ; - +; ; suhosin.session.cryptua ; ----------------------- +; ; * Type: Boolean ; * Default: Off ; ; Flag that decides if the transparent session encryption key depends on the ; User-Agent field. (When activated this feature transparently adds a little bit ; protection against session fixation/hijacking attacks) -; +; ;suhosin.session.cryptua = Off ; - +; ; suhosin.session.cryptdocroot ; ---------------------------- +; ; * Type: Boolean ; * Default: On ; ; Flag that decides if the transparent session encryption key depends on the ; Documentroot field. -; +; ;suhosin.session.cryptdocroot = On ; - +; ; suhosin.session.cryptraddr ; -------------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -791,12 +842,13 @@ ; a session. But this feature might be interesting for admin interfaces or ; intranets. When used wisely this is a transparent protection against session ; hijacking/fixation. This feature supports IPv4 only. -; +; ;suhosin.session.cryptraddr = 0 ; - +; ; suhosin.session.checkraddr ; -------------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -805,34 +857,37 @@ ; part of the encryption key, so that the same session can be used for different ; areas with different protection levels on the site. This feature supports IPv4 ; only. -; +; ;suhosin.session.checkraddr = 0 ; - +; ; suhosin.cookie.encrypt ; ---------------------- +; ; * Type: Boolean ; * Default: Off ; ; Flag that decides if the transparent cookie encryption is activated or not. -; +; ;suhosin.cookie.encrypt = Off ; - +; ; suhosin.cookie.cryptkey ; ----------------------- +; ; * Type: String -; * Default: +; * Default: ; ; Cookies can be encrypted transparently. The encryption key used consists of ; this user defined string and optionally the User-Agent, the Document-Root and ; 0-4 octects of the REMOTE_ADDR. -; +; ;suhosin.cookie.cryptkey = ; - +; ; suhosin.cookie.cryptua ; ---------------------- +; ; * Type: Boolean ; * Default: On ; @@ -840,23 +895,25 @@ ; User-Agent field. (When activated this feature transparently adds a little bit ; protection against session fixation/hijacking attacks (if only session cookies ; are allowed)) -; +; ;suhosin.cookie.cryptua = On ; - +; ; suhosin.cookie.cryptdocroot ; --------------------------- +; ; * Type: Boolean ; * Default: On ; ; Flag that decides if the transparent cookie encryption key depends on the ; Documentroot field. -; +; ;suhosin.cookie.cryptdocroot = On ; - +; ; suhosin.cookie.cryptraddr ; ------------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -866,12 +923,13 @@ ; a session. But this feature might be interesting for admin interfaces or ; intranets. When used wisely this is a transparent protection against session ; hijacking/fixation. This feature supports IPv4 only. -; +; ;suhosin.cookie.cryptraddr = 0 ; - +; ; suhosin.cookie.checkraddr ; ------------------------- +; ; * Type: Integer ; * Default: 0 ; @@ -879,43 +937,50 @@ ; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not part ; of the encryption key, so that the same cookie can be used for different areas ; with different protection levels on the site. This feature supports IPv4 only. -; +; ;suhosin.cookie.checkraddr = 0 ; - +; ; suhosin.cookie.cryptlist ; ------------------------ +; ; * Type: String -; * Default: +; * Default: ; ; In case not all cookies are supposed to get encrypted this is a comma separated ; list of cookie names that should get encrypted. All other cookies will not get ; touched. ; +; Note: Cookies handled on client side with JavaScript as well as on server side +; should not be encrypted, e.g. listed in suhosin.cookie.plainlist or omitted in +; suhosin.cookie.cryptlist. +; ;suhosin.cookie.cryptlist = ; - +; ; suhosin.cookie.plainlist ; ------------------------ +; ; * Type: String -; * Default: +; * Default: ; ; In case some cookies should not be encrypted this is a comma separated list of ; cookies that do not get encrypted. All other cookies will be encrypted. ; ; Note: This setting deactivates suhosin.cookie.cryptlist. -; +; ;suhosin.cookie.plainlist = ; - +; ; ================= ; Filtering Options ; ================= - +; ; suhosin.filter.action ; --------------------- +; ; * Type: Mixed -; * Default: +; * Default: ; ; Defines the reaction of Suhosin on a filter violation. Following possible ; actions are supported @@ -937,12 +1002,13 @@ ; | | the requested script. Optionally set a | ; | | specific HTTP response code | ; +-------------------------------+--------------------------------------------+ -; +; ;suhosin.filter.action = ; - +; ; suhosin.cookie.max_array_depth ; ------------------------------ +; ; * Type: Integer ; * Default: 50 ; @@ -950,86 +1016,94 @@ ; the COOKIE. ; ; Note: Array depth is not the number of elements within an array. -; +; ;suhosin.cookie.max_array_depth = 50 ; - +; ; suhosin.cookie.max_array_index_length ; ------------------------------------- +; ; * Type: Integer ; * Default: 64 ; ; Defines the maximum length of array indices for variables registered through ; the COOKIE. -; +; ;suhosin.cookie.max_array_index_length = 64 ; - +; ; suhosin.cookie.max_name_length ; ------------------------------ +; ; * Type: Integer ; * Default: 64 ; ; Defines the maximum length of variable names for variables registered through ; the COOKIE. For array variables this is the name in front of the indices. -; +; ;suhosin.cookie.max_name_length = 64 ; - +; ; suhosin.cookie.max_totalname_length ; ----------------------------------- +; ; * Type: Integer ; * Default: 256 ; ; Defines the maximum length of the total variable name when registered through ; the COOKIE. For array variables this includes all indices. -; +; ;suhosin.cookie.max_totalname_length = 256 ; - +; ; suhosin.cookie.max_value_length ; ------------------------------- +; ; * Type: Integer ; * Default: 10000 ; ; Defines the maximum length of a variable that is registered through the COOKIE. -; +; ;suhosin.cookie.max_value_length = 10000 ; - +; ; suhosin.cookie.max_vars ; ----------------------- +; ; * Type: Integer ; * Default: 100 ; ; Defines the maximum number of variables that may be registered through the ; COOKIE. -; +; ;suhosin.cookie.max_vars = 100 ; - +; ; suhosin.cookie.disallow_nul ; --------------------------- +; ; * Type: Boolean ; * Default: On ; ; When set to On ASCIIZ chars are not allowed in variables. -; +; ;suhosin.cookie.disallow_nul = On ; - +; ; suhosin.cookie.disallow_ws ; -------------------------- +; ; * Type: Boolean ; * Default: On ; ; Ignore cookies with names starting with whitespace. -; +; ;suhosin.cookie.disallow_ws = On ; - +; ; suhosin.get.max_array_depth ; --------------------------- +; ; * Type: Integer ; * Default: 50 ; @@ -1037,85 +1111,93 @@ ; the URL. ; ; Note: Array depth is not the number of elements within an array. -; +; ;suhosin.get.max_array_depth = 50 ; - +; ; suhosin.get.max_array_index_length ; ---------------------------------- +; ; * Type: Integer ; * Default: 64 ; ; Defines the maximum length of array indices for variables registered through ; the URL. -; +; ;suhosin.get.max_array_index_length = 64 ; - +; ; suhosin.get.max_name_length ; --------------------------- +; ; * Type: Integer ; * Default: 64 ; ; Defines the maximum length of variable names for variables registered through ; the URL. For array variables this is the name in front of the indices. -; +; ;suhosin.get.max_name_length = 64 ; - +; ; suhosin.get.max_totalname_length ; -------------------------------- +; ; * Type: Integer ; * Default: 256 ; ; Defines the maximum length of the total variable name when registered through ; the URL. For array variables this includes all indices. -; +; ;suhosin.get.max_totalname_length = 256 ; - +; ; suhosin.get.max_value_length ; ---------------------------- +; ; * Type: Integer ; * Default: 512 ; ; Defines the maximum length of a variable that is registered through the URL. -; +; ;suhosin.get.max_value_length = 512 ; - +; ; suhosin.get.max_vars ; -------------------- +; ; * Type: Integer ; * Default: 100 ; ; Defines the maximum number of variables that may be registered through the URL. -; +; ;suhosin.get.max_vars = 100 ; - +; ; suhosin.get.disallow_nul ; ------------------------ +; ; * Type: Boolean ; * Default: On ; ; When set to On ASCIIZ chars are not allowed in variables. -; +; ;suhosin.get.disallow_nul = On ; - +; ; suhosin.get.disallow_ws ; ----------------------- +; ; * Type: Boolean ; * Default: Off ; ; Ignore GET parameters with names starting with whitespace. -; +; ;suhosin.get.disallow_ws = Off ; - +; ; suhosin.post.max_array_depth ; ---------------------------- +; ; * Type: Integer ; * Default: 50 ; @@ -1123,113 +1205,121 @@ ; POST request. ; ; Note: Array depth is not the number of elements within an array. -; +; ;suhosin.post.max_array_depth = 50 ; - +; ; suhosin.post.max_array_index_length ; ----------------------------------- +; ; * Type: Integer ; * Default: 64 ; ; Defines the maximum length of array indices for variables registered through a ; POST request. -; +; ;suhosin.post.max_array_index_length = 64 ; - +; ; suhosin.post.max_name_length ; ---------------------------- +; ; * Type: Integer ; * Default: 64 ; ; Defines the maximum length of variable names for variables registered through a ; POST request. For array variables this is the name in front of the indices. -; +; ;suhosin.post.max_name_length = 64 ; - +; ; suhosin.post.max_totalname_length ; --------------------------------- +; ; * Type: Integer ; * Default: 256 ; ; Defines the maximum length of the total variable name when registered through a ; POST request. For array variables this includes all indices. -; +; ;suhosin.post.max_totalname_length = 256 ; - +; ; suhosin.post.max_value_length ; ----------------------------- +; ; * Type: Integer ; * Default: 1000000 ; ; Defines the maximum length of a variable that is registered through a POST ; request. -; +; ;suhosin.post.max_value_length = 1000000 ; - +; ; suhosin.post.max_vars ; --------------------- +; ; * Type: Integer ; * Default: 1000 ; ; Defines the maximum number of variables that may be registered through a POST ; request. -; +; ;suhosin.post.max_vars = 1000 ; - +; ; suhosin.post.disallow_nul ; ------------------------- +; ; * Type: Boolean ; * Default: On ; ; When set to On ASCIIZ chars are not allowed in variables. -; +; ;suhosin.post.disallow_nul = On ; - +; ; suhosin.post.disallow_ws ; ------------------------ +; ; * Type: Boolean ; * Default: Off ; ; Ignore POST parameters with names starting with whitespace. -; +; ;suhosin.post.disallow_ws = Off ; - +; ; suhosin.request.array_index_blacklist ; ------------------------------------- +; ; * Type: String ; * Default: "'\"+<>;()" ; ; Defines a character blacklist for array indices not allowed in user input. -; -; Note: The default value also contained '-' in 0.9.37, which was removed in -; 0.9.37.1 due to incompatibility issues. -; +; ;suhosin.request.array_index_blacklist = "'\"+<>;()" ; - +; ; suhosin.request.array_index_whitelist ; ------------------------------------- +; ; * Type: String -; * Default: +; * Default: +; ; * Example: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" ; ; Defines a character whitelist for array indices allowed in user input. ; ; Note: This setting deactivates suhosin.request.array_index_blacklist. -; +; ;suhosin.request.array_index_whitelist = ; - +; ; suhosin.request.max_array_depth ; ------------------------------- +; ; * Type: Integer ; * Default: 50 ; @@ -1238,24 +1328,26 @@ ; POST, COOKIE configuration directives. ; ; Note: Array depth is not the number of elements within an array. -; +; ;suhosin.request.max_array_depth = 50 ; - +; ; suhosin.request.max_array_index_length ; -------------------------------------- +; ; * Type: Integer ; * Default: 64 ; ; Defines the maximum length of array indices for variables registered through ; GET, POST or COOKIE. This setting is also an upper limit for the separate GET, ; POST, COOKIE configuration directives. -; +; ;suhosin.request.max_array_index_length = 64 ; - +; ; suhosin.request.max_totalname_length ; ------------------------------------ +; ; * Type: Integer ; * Default: 256 ; @@ -1263,36 +1355,39 @@ ; the COOKIE, the URL or through a POST request. This is the complete name ; string, including all indices. This setting is also an upper limit for the ; separate GET, POST, COOKIE configuration directives. -; +; ;suhosin.request.max_totalname_length = 256 ; - +; ; suhosin.request.max_value_length ; -------------------------------- +; ; * Type: Integer ; * Default: 1000000 ; ; Defines the maximum length of a variable that is registered through the COOKIE, ; the URL or through a POST request. This setting is also an upper limit for the ; variable origin specific configuration directives. -; +; ;suhosin.request.max_value_length = 1000000 ; - +; ; suhosin.request.max_vars ; ------------------------ +; ; * Type: Integer ; * Default: 1000 ; ; Defines the maximum number of variables that may be registered through the ; COOKIE, the URL or through a POST request. This setting is also an upper limit ; for the variable origin specific configuration directives. -; +; ;suhosin.request.max_vars = 1000 ; - +; ; suhosin.request.max_varname_length ; ---------------------------------- +; ; * Type: Integer ; * Default: 64 ; @@ -1300,96 +1395,105 @@ ; that may be registered through the COOKIE, the URL or through a POST request. ; This setting is also an upper limit for the variable origin specific ; configuration directives. -; +; ;suhosin.request.max_varname_length = 64 ; - +; ; suhosin.request.disallow_nul ; ---------------------------- +; ; * Type: Boolean ; * Default: On ; ; When set to On ASCIIZ chars are not allowed in variables. -; +; ;suhosin.request.disallow_nul = On ; - +; ; suhosin.request.disallow_ws ; --------------------------- +; ; * Type: Boolean ; * Default: Off ; ; Ignore all variables with names starting with whitespace. -; +; ;suhosin.request.disallow_ws = Off ; - +; ; suhosin.upload.max_uploads ; -------------------------- +; ; * Type: Integer ; * Default: 25 ; ; Defines the maximum number of files that may be uploaded with one request. -; +; ;suhosin.upload.max_uploads = 25 ; - +; ; suhosin.upload.max_newlines ; --------------------------- +; ; * Type: Integer ; * Default: 100 ; ; Defines the maximum number of newlines in rfc1867 mime headers. ; (added with version 0.9.38) -; +; ;suhosin.upload.max_newlines = 100 ; - +; ; suhosin.upload.disallow_elf ; --------------------------- +; ; * Type: Boolean ; * Default: On ; ; When set to On it is not possible to upload ELF executables. -; +; ;suhosin.upload.disallow_elf = On ; - +; ; suhosin.upload.disallow_binary ; ------------------------------ +; ; * Type: Boolean ; * Default: Off ; ; When set to On it is not possible to upload binary files. -; +; ;suhosin.upload.disallow_binary = Off ; - +; ; suhosin.upload.remove_binary ; ---------------------------- +; ; * Type: Boolean ; * Default: Off ; ; When set to On binary content is removed from the uploaded files. -; +; ;suhosin.upload.remove_binary = Off ; - +; ; suhosin.upload.allow_utf8 ; ------------------------- +; ; * Type: Boolean ; * Default: Off ; ; This is an experimental feature. This option allows UTF-8 along with ASCII when ; using `suhosin.upload.disallow_binary` or `suhosin.upload.remove_binary`. -; +; ;suhosin.upload.allow_utf8 = Off ; - +; ; suhosin.upload.verification_script ; ---------------------------------- +; ; * Type: String -; * Default: +; * Default: ; ; This defines the full path to a verification script for uploaded files. The ; script gets the temporary filename supplied and has to decide if the upload is @@ -1397,12 +1501,13 @@ ; The called script has to write a 1 as first line to standard output to allow ; the upload. Any other value or no output at all will result in the file being ; deleted. -; +; ;suhosin.upload.verification_script = ; - +; ; suhosin.session.max_id_length ; ----------------------------- +; ; * Type: Integer ; * Default: 128 ; @@ -1410,45 +1515,49 @@ ; longer session identifier is passed a new session identifier will be created. ; This feature is important to fight buffer overflows in 3rd party session ; handlers. -; +; ;suhosin.session.max_id_length = 128 ; - +; ; suhosin.server.encode ; --------------------- +; ; * Type: Boolean ; * Default: On ; ; Encode potentially dangerous characters in REQUEST_URI and QUERY_STRING with ; URL encoding. -; +; ;suhosin.server.encode = On ; - +; ; suhosin.server.strip ; -------------------- +; ; * Type: Boolean ; * Default: On ; ; Replace potentially dangerous characters in PHP_SELF, PATH_INFO, ; PATH_TRANSLATED and HTTP_USER_AGENT with '?'. -; +; ;suhosin.server.strip = On ; - +; ; suhosin.rand.seedingkey ; ----------------------- +; ; * Type: String -; * Default: +; * Default: ; ; This string is added to the entropy pool for seeding the random number ; generator. -; +; ;suhosin.rand.seedingkey = ; - +; ; suhosin.rand.reseed_every_request ; --------------------------------- +; ; * Type: Boolean ; * Default: Off ; @@ -1456,29 +1565,30 @@ ; request. Will improve security but decrease performance. In case the system's ; entry pool is exhausted, this flag may either significantly increase execution ; time or otherwise use less entropy (which is bad). -; +; ;suhosin.rand.reseed_every_request = Off ; - +; ; suhosin.srand.ignore ; -------------------- +; ; * Type: Boolean ; * Default: On ; ; Flag that controls if calls to srand() are ignored in favour of Suhosin's own ; enhanced seeding - since 0.9.36 calls will trigger auto-reseeding. -; +; ;suhosin.srand.ignore = On ; - +; ; suhosin.mt_srand.ignore ; ----------------------- +; ; * Type: Boolean ; * Default: On ; ; Flag that controls if calls to mt_srand() are ignored in favour of Suhosin's ; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding. -; +; ;suhosin.mt_srand.ignore = On ; - -- cgit v1.3