renamed ini protection example rules

author: Ben Fuhrmannek 2022-01-10 16:23:28 +0100
committer: Ben Fuhrmannek 2022-01-10 16:23:28 +0100
commit: c9430a45205f3a94fe46c7fd4f5fd3a6ab5202f4 (patch)
tree: a5565ef11d435a18454a0e8a284029294c35e4db /config/ini_protection.rules
parent: f4afb2a0396251f45a31f470cb6ad916671a9686 (diff)
1 files changed, 291 insertions, 0 deletions
diff --git a/config/ini_protection.rules b/config/ini_protection.rules
new file mode 100644
index 0000000..bde5815
--- /dev/null
+++ b/config/ini_protection.rules
@@ -0,0 +1,291 @@
+## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
+sp.ini_protection.enable();
+## simulation mode: only log violations
+#sp.ini_protection.simulation();
+## drop policy: drop request on rule violation
+#sp.ini_protection.policy_drop();
+## do not log violations.
+## this setting has no effect in simulation or drop mode
+#sp.ini_protection.policy_silent_fail();
+## do not log read-only violations
+## this setting has no effect in simulation or drop mode
+sp.ini_protection.policy_silent_ro();
+## access policy can be one of
+## .policy_readonly(): All entries are read-only by default.
+##    Individual entries can be set read-write using .readwrite() or .rw()
+## .policy_readwrite(): This is the default and can be omitted.
+##    Individual entries can be set read-only using .readonly() or .ro()
+#sp.ini_protection.policy_readonly();
+## sp.ini entries can have the following attributes
+## .key("..."): mandatory ini name.
+## .set("..."): set the initial value. This overrides php.ini.
+##    checks are not performed for this initial value.
+## .min("...") / .max("..."): value must be an integer between .min and .max.
+##    shorthand notation (e.g. 1k = 1024) is allowed
+## .regexp("..."): value must match the regular expression
+## .allow_null(): allow setting a NULL-value
+## .msg("..."): message is shown in logs on rule violation instead of default message
+## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
+##    If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
+## .drop(): drop request on rule violation for this entry
+## .simulation(): only log rule violation for this entry
+## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
+sp.ini.key("display_errors").set("0").ro();
+sp.ini.key("display_startup_errors").set("0").ro();
+sp.ini.key("expose_php").set("0").ro();
+## FOR DEVELOPMENT/TESTING: allow enabling error messages and version numbers
+#sp.ini.key("display_errors").rw();
+#sp.ini.key("display_startup_errors").rw();
+#sp.ini.key("expose_php").rw();
+## error logging options should not be set during runtime -> read-only.
+sp.ini.key("error_log").ro();
+sp.ini.key("error_reporting").ro();
+sp.ini.key("log_errors").ro();
+@condition PHP_VERSION_ID < 80000;
+sp.ini.key("log_errors_max_len").set("2048").ro();
+@end_condition;
+sp.ini.key("ignore_repeated_errors").ro();
+sp.ini.key("ignore_repeated_source").ro();
+sp.ini.key("syslog.filter").ro();
+## disable assert. assert() in PHP can evaluate arbitrary code just like eval()
+sp.ini.key("assert.active").set("0").ro();
+sp.ini.key("assert.bail").ro();
+sp.ini.key("assert.callback").ro();
+sp.ini.key("assert.exception").ro();
+sp.ini.key("assert.warning").ro();
+## enforce color codes. prevents potential XSS
+sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.default").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.html").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.keyword").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.string").regexp("^#[0-9a-fA-F]{6}$");
+## prevent remote access via fopen/include
+sp.ini.key("allow_url_fopen").set("0").ro();
+sp.ini.key("allow_url_include").set("0").ro();
+## prevent code execution from auto-included files
+sp.ini.key("auto_append_file").ro();
+sp.ini.key("auto_prepend_file").ro();
+## make rarely used features read-only. you can always set the value in php.ini
+sp.ini.key("arg_separator.input").ro();
+sp.ini.key("arg_separator.output").ro();
+sp.ini.key("auto_detect_line_endings").ro();
+sp.ini.key("auto_globals_jit").ro();
+sp.ini.key("browscap").ro();
+sp.ini.key("default_charset").ro();
+sp.ini.key("register_argc_argv").ro();
+sp.ini.key("report_memleaks").ro();
+sp.ini.key("report_zend_debug").ro();
+sp.ini.key("request_order").ro();
+sp.ini.key("url_rewriter.hosts").ro();
+sp.ini.key("url_rewriter.tags").ro();
+sp.ini.key("variables_order").ro();
+sp.ini.key("from").ro();
+sp.ini.key("short_open_tag").ro();
+sp.ini.key("unserialize_callback_func").ro();
+sp.ini.key("zend.detect_unicode").ro();
+sp.ini.key("zend.enable_gc").ro();
+sp.ini.key("zend.exception_ignore_args").ro();
+sp.ini.key("zend.exception_string_param_max_len").ro();
+sp.ini.key("zend.multibyte").ro();
+sp.ini.key("zend.script_encoding").ro();
+## date and timezone settings
+#sp.ini.key("date.default_latitude").set("31.7667").ro();
+#sp.ini.key("date.default_longitude").set("35.2333").ro();
+#sp.ini.key("date.sunrise_zenith").set("90.833333").ro();
+#sp.ini.key("date.sunset_zenith").set("90.833333").ro();
+#sp.ini.key("date.timezone").set("").ro();
+## setting a default mime type other than text/html can be a way to prevent XSS, so this will be set to read-write by default
+sp.ini.key("default_mimetype").rw();
+## allow reasonable socket timeouts
+sp.ini.key("default_socket_timeout").min("1").max("300").rw();
+## disable dynamic loading of PHP extensions in an apache/mod_php environment as it is a security risk.
+sp.ini.key("enable_dl").set("0").ro();
+## links to manual pages in error pages should not be set during runtime.
+sp.ini.key("docref_ext").ro();
+sp.ini.key("docref_root").ro();
+sp.ini.key("html_errors").set("0").ro();
+## preventing $_POST and $_FILES to be populated can be a security feature, so read-write is ok.
+sp.ini.key("enable_post_data_reading").rw();
+## disable error append/prepend which may lead to log forging.
+sp.ini.key("error_append_string").ro();
+sp.ini.key("error_prepend_string").set("").ro();
+## restrict limit settings to prevent Denial-of-Service
+sp.ini.key("max_execution_time").min("30").max("600").rw();
+sp.ini.key("max_file_uploads").min("0").max("25").rw();
+sp.ini.key("max_input_nesting_level").min("16").max("64").rw();
+sp.ini.key("max_input_time").set("-1").ro();
+sp.ini.key("max_input_vars").min("0").max("1024").rw();
+sp.ini.key("memory_limit").min("4M").max("256M").rw();
+sp.ini.key("post_max_size").max("256M").rw();
+sp.ini.key("upload_max_filesize").max("256M").rw();
+sp.ini.key("precision").max("14").rw();
+sp.ini.key("unserialize_max_depth").min("128").max("4096").rw();
+sp.ini.key("serialize_precision").ro();
+## some applications rely on these filters for security
+## even though they should implement proper input validation for each input field separately.
+@condition extension_loaded("filter");
+sp.ini.key("filter.default").rw();
+sp.ini.key("filter.default_flags").rw();
+@end_condition;
+## scripts will not be terminated after a client has aborted their connection.
+## this feature may be needed for some time consuming server-side calculation
+sp.ini.key("ignore_user_abort").rw();
+## flushing may be needed
+sp.ini.key("implicit_flush").rw();
+## this feature may be required for some frameworks to work properly,
+## but setting the include path to a fixed value is always more secure.
+sp.ini.key("include_path").ro();
+## input/output and encoding options
+sp.ini.key("input_encoding").ro();
+sp.ini.key("internal_encoding").ro();
+sp.ini.key("output_encoding").ro();
+sp.ini.key("output_buffering").min("0").max("4096").rw();
+sp.ini.key("output_handler").ro();
+## mail options
+#sp.ini.key("mail.add_x_header").set("0").ro();
+#sp.ini.key("mail.force_extra_parameters").set("").ro();
+#sp.ini.key("mail.log").set("").ro();
+## windows smtp options
+#sp.ini.key("SMTP").set("localhost").ro();
+#sp.ini.key("smtp_port").set("25").ro();
+#sp.ini.key("sendmail_from").ro();
+## mysqli/mysqlnd options
+@condition extension_loaded("mysqli");
+sp.ini.key("mysqli.allow_local_infile").ro();
+sp.ini.key("mysqli.allow_persistent").ro();
+sp.ini.key("mysqli.default_host").ro();
+sp.ini.key("mysqli.default_port").ro();
+sp.ini.key("mysqli.default_pw").ro();
+sp.ini.key("mysqli.default_socket").ro();
+sp.ini.key("mysqli.default_user").ro();
+sp.ini.key("mysqli.max_links").set("-1").ro();
+sp.ini.key("mysqli.max_persistent").set("-1").ro();
+sp.ini.key("mysqli.reconnect").set("0").ro();
+sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
+@condition extension_loaded("mysqlnd");
+sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
+sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
+sp.ini.key("mysqlnd.debug").set("").ro();
+sp.ini.key("mysqlnd.log_mask").set("0").ro();
+sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
+sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
+sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
+sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
+sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
+sp.ini.key("mysqlnd.trace_alloc").set("").ro();
+@condition extension_loaded("mysqlnd") && PHP_VERSION_ID < 80100;
+sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
+@end_condition;
+## open basedir is a security feature similar to chroot.
+## why should it be allowed to disable this feature during runtime?
+sp.ini.key("open_basedir").ro();
+## pcre options
+@condition extension_loaded("pcre");
+sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
+sp.ini.key("pcre.jit").rw();
+sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
+@end_condition;
+## phar options
+@condition extension_loaded("phar");
+sp.ini.key("phar.cache_list").ro();
+sp.ini.key("phar.readonly").ro();
+sp.ini.key("phar.require_hash").ro();
+@end_condition;
+## session options
+@condition extension_loaded("session");
+#sp.ini.key("session.auto_start").set("0").ro();
+#sp.ini.key("session.cache_expire").set("180").ro();
+#sp.ini.key("session.cache_limiter").set("nocache").ro();
+#sp.ini.key("session.cookie_domain").set("").ro();
+#sp.ini.key("session.cookie_httponly").set("0").ro();
+#sp.ini.key("session.cookie_lifetime").set("0").ro();
+#sp.ini.key("session.cookie_path").set("/").ro();
+#sp.ini.key("session.cookie_samesite").set("").ro();
+#sp.ini.key("session.cookie_secure").set("0").ro();
+#sp.ini.key("session.gc_divisor").set("100").ro();
+#sp.ini.key("session.gc_maxlifetime").set("1440").ro();
+#sp.ini.key("session.gc_probability").set("1").ro();
+#sp.ini.key("session.lazy_write").set("1").ro();
+#sp.ini.key("session.name").set("PHPSESSID").ro();
+#sp.ini.key("session.referer_check").set("").ro();
+#sp.ini.key("session.save_handler").set("files").ro();
+#sp.ini.key("session.save_path").set("").ro();
+#sp.ini.key("session.serialize_handler").set("php").ro();
+#sp.ini.key("session.sid_bits_per_character").set("4").ro();
+sp.ini.key("session.sid_length").min("32").max("128").rw();
+#sp.ini.key("session.trans_sid_hosts").set("").ro();
+#sp.ini.key("session.trans_sid_tags").set("a=href,area=href,frame=src,form=").ro();
+#sp.ini.key("session.upload_progress.cleanup").set("1").ro();
+#sp.ini.key("session.upload_progress.enabled").set("1").ro();
+#sp.ini.key("session.upload_progress.freq").set("1%").ro();
+#sp.ini.key("session.upload_progress.min_freq").set("1").ro();
+#sp.ini.key("session.upload_progress.name").set("PHP_SESSION_UPLOAD_PROGRESS").ro();
+#sp.ini.key("session.upload_progress.prefix").set("upload_progress_").ro();
+#sp.ini.key("session.use_cookies").set("1").ro();
+#sp.ini.key("session.use_only_cookies").set("1").ro();
+#sp.ini.key("session.use_strict_mode").set("0").ro();
+#sp.ini.key("session.use_trans_sid").set("0").ro();
+@end_condition;
+## allow setting the user agent
+sp.ini.key("user_agent").rw();
+## allow setting the xmlrpc fault code
+sp.ini.key("xmlrpc_error_number").rw();
+## these ini entries can only be set by php.ini anyway,
+## but better set them to read-only anyway, just to be sure.
+sp.ini.key("disable_classes").ro();
+sp.ini.key("disable_functions").ro();
+sp.ini.key("doc_root").ro();
+sp.ini.key("extension_dir").ro();
+sp.ini.key("file_uploads").ro();
+sp.ini.key("hard_timeout").ro();
+sp.ini.key("realpath_cache_size").ro();
+sp.ini.key("realpath_cache_ttl").ro();
+sp.ini.key("sendmail_path").ro();
+@condition extension_loaded("sqlite3");
+sp.ini.key("sqlite3.defensive").ro();
+sp.ini.key("sqlite3.extension_dir").ro();
+@end_condition;
+sp.ini.key("sys_temp_dir").ro();
+sp.ini.key("syslog.facility").ro();
+sp.ini.key("syslog.ident").ro();
+sp.ini.key("upload_tmp_dir").ro();
+sp.ini.key("user_dir").ro();
+sp.ini.key("user_ini.cache_ttl").ro();
+sp.ini.key("user_ini.filename").ro();
+sp.ini.key("zend.assertions").ro();
+sp.ini.key("zend.signal_check").set("0").ro();
author	Ben Fuhrmannek	2022-01-10 16:23:28 +0100
committer	Ben Fuhrmannek	2022-01-10 16:23:28 +0100
commit	c9430a45205f3a94fe46c7fd4f5fd3a6ab5202f4 (patch)
tree	a5565ef11d435a18454a0e8a284029294c35e4db /config/ini_protection.rules
parent	f4afb2a0396251f45a31f470cb6ad916671a9686 (diff)

diff --git a/config/ini_protection.rules b/config/ini_protection.rules new file mode 100644 index 0000000..bde5815 --- /dev/null +++ b/config/ini_protection.rules
@@ -0,0 +1,291 @@
	1	## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
	2	sp.ini_protection.enable();
	3
	4	## simulation mode: only log violations
	5	#sp.ini_protection.simulation();
	6
	7	## drop policy: drop request on rule violation
	8	#sp.ini_protection.policy_drop();
	9
	10	## do not log violations.
	11	## this setting has no effect in simulation or drop mode
	12	#sp.ini_protection.policy_silent_fail();
	13
	14	## do not log read-only violations
	15	## this setting has no effect in simulation or drop mode
	16	sp.ini_protection.policy_silent_ro();
	17
	18	## access policy can be one of
	19	## .policy_readonly(): All entries are read-only by default.
	20	## Individual entries can be set read-write using .readwrite() or .rw()
	21	## .policy_readwrite(): This is the default and can be omitted.
	22	## Individual entries can be set read-only using .readonly() or .ro()
	23	#sp.ini_protection.policy_readonly();
	24
	25	## sp.ini entries can have the following attributes
	26	## .key("..."): mandatory ini name.
	27	## .set("..."): set the initial value. This overrides php.ini.
	28	## checks are not performed for this initial value.
	29	## .min("...") / .max("..."): value must be an integer between .min and .max.
	30	## shorthand notation (e.g. 1k = 1024) is allowed
	31	## .regexp("..."): value must match the regular expression
	32	## .allow_null(): allow setting a NULL-value
	33	## .msg("..."): message is shown in logs on rule violation instead of default message
	34	## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
	35	## If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
	36	## .drop(): drop request on rule violation for this entry
	37	## .simulation(): only log rule violation for this entry
	38
	39	## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
	40	sp.ini.key("display_errors").set("0").ro();
	41	sp.ini.key("display_startup_errors").set("0").ro();
	42	sp.ini.key("expose_php").set("0").ro();
	43	## FOR DEVELOPMENT/TESTING: allow enabling error messages and version numbers
	44	#sp.ini.key("display_errors").rw();
	45	#sp.ini.key("display_startup_errors").rw();
	46	#sp.ini.key("expose_php").rw();
	47
	48	## error logging options should not be set during runtime -> read-only.
	49	sp.ini.key("error_log").ro();
	50	sp.ini.key("error_reporting").ro();
	51	sp.ini.key("log_errors").ro();
	52	@condition PHP_VERSION_ID < 80000;
	53	sp.ini.key("log_errors_max_len").set("2048").ro();
	54	@end_condition;
	55	sp.ini.key("ignore_repeated_errors").ro();
	56	sp.ini.key("ignore_repeated_source").ro();
	57	sp.ini.key("syslog.filter").ro();
	58
	59	## disable assert. assert() in PHP can evaluate arbitrary code just like eval()
	60	sp.ini.key("assert.active").set("0").ro();
	61	sp.ini.key("assert.bail").ro();
	62	sp.ini.key("assert.callback").ro();
	63	sp.ini.key("assert.exception").ro();
	64	sp.ini.key("assert.warning").ro();
	65
	66	## enforce color codes. prevents potential XSS
	67	sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
	68	sp.ini.key("highlight.default").regexp("^#[0-9a-fA-F]{6}$");
	69	sp.ini.key("highlight.html").regexp("^#[0-9a-fA-F]{6}$");
	70	sp.ini.key("highlight.keyword").regexp("^#[0-9a-fA-F]{6}$");
	71	sp.ini.key("highlight.string").regexp("^#[0-9a-fA-F]{6}$");
	72
	73	## prevent remote access via fopen/include
	74	sp.ini.key("allow_url_fopen").set("0").ro();
	75	sp.ini.key("allow_url_include").set("0").ro();
	76
	77	## prevent code execution from auto-included files
	78	sp.ini.key("auto_append_file").ro();
	79	sp.ini.key("auto_prepend_file").ro();
	80
	81	## make rarely used features read-only. you can always set the value in php.ini
	82	sp.ini.key("arg_separator.input").ro();
	83	sp.ini.key("arg_separator.output").ro();
	84	sp.ini.key("auto_detect_line_endings").ro();
	85	sp.ini.key("auto_globals_jit").ro();
	86	sp.ini.key("browscap").ro();
	87	sp.ini.key("default_charset").ro();
	88	sp.ini.key("register_argc_argv").ro();
	89	sp.ini.key("report_memleaks").ro();
	90	sp.ini.key("report_zend_debug").ro();
	91	sp.ini.key("request_order").ro();
	92	sp.ini.key("url_rewriter.hosts").ro();
	93	sp.ini.key("url_rewriter.tags").ro();
	94	sp.ini.key("variables_order").ro();
	95	sp.ini.key("from").ro();
	96	sp.ini.key("short_open_tag").ro();
	97	sp.ini.key("unserialize_callback_func").ro();
	98	sp.ini.key("zend.detect_unicode").ro();
	99	sp.ini.key("zend.enable_gc").ro();
	100	sp.ini.key("zend.exception_ignore_args").ro();
	101	sp.ini.key("zend.exception_string_param_max_len").ro();
	102	sp.ini.key("zend.multibyte").ro();
	103	sp.ini.key("zend.script_encoding").ro();
	104
	105	## date and timezone settings
	106	#sp.ini.key("date.default_latitude").set("31.7667").ro();
	107	#sp.ini.key("date.default_longitude").set("35.2333").ro();
	108	#sp.ini.key("date.sunrise_zenith").set("90.833333").ro();
	109	#sp.ini.key("date.sunset_zenith").set("90.833333").ro();
	110	#sp.ini.key("date.timezone").set("").ro();
	111
	112	## setting a default mime type other than text/html can be a way to prevent XSS, so this will be set to read-write by default
	113	sp.ini.key("default_mimetype").rw();
	114
	115	## allow reasonable socket timeouts
	116	sp.ini.key("default_socket_timeout").min("1").max("300").rw();
	117
	118	## disable dynamic loading of PHP extensions in an apache/mod_php environment as it is a security risk.
	119	sp.ini.key("enable_dl").set("0").ro();
	120
	121	## links to manual pages in error pages should not be set during runtime.
	122	sp.ini.key("docref_ext").ro();
	123	sp.ini.key("docref_root").ro();
	124	sp.ini.key("html_errors").set("0").ro();
	125
	126	## preventing $_POST and $_FILES to be populated can be a security feature, so read-write is ok.
	127	sp.ini.key("enable_post_data_reading").rw();
	128
	129	## disable error append/prepend which may lead to log forging.
	130	sp.ini.key("error_append_string").ro();
	131	sp.ini.key("error_prepend_string").set("").ro();
	132
	133	## restrict limit settings to prevent Denial-of-Service
	134	sp.ini.key("max_execution_time").min("30").max("600").rw();
	135	sp.ini.key("max_file_uploads").min("0").max("25").rw();
	136	sp.ini.key("max_input_nesting_level").min("16").max("64").rw();
	137	sp.ini.key("max_input_time").set("-1").ro();
	138	sp.ini.key("max_input_vars").min("0").max("1024").rw();
	139	sp.ini.key("memory_limit").min("4M").max("256M").rw();
	140	sp.ini.key("post_max_size").max("256M").rw();
	141	sp.ini.key("upload_max_filesize").max("256M").rw();
	142	sp.ini.key("precision").max("14").rw();
	143	sp.ini.key("unserialize_max_depth").min("128").max("4096").rw();
	144	sp.ini.key("serialize_precision").ro();
	145
	146	## some applications rely on these filters for security
	147	## even though they should implement proper input validation for each input field separately.
	148	@condition extension_loaded("filter");
	149	sp.ini.key("filter.default").rw();
	150	sp.ini.key("filter.default_flags").rw();
	151	@end_condition;
	152
	153	## scripts will not be terminated after a client has aborted their connection.
	154	## this feature may be needed for some time consuming server-side calculation
	155	sp.ini.key("ignore_user_abort").rw();
	156
	157	## flushing may be needed
	158	sp.ini.key("implicit_flush").rw();
	159
	160	## this feature may be required for some frameworks to work properly,
	161	## but setting the include path to a fixed value is always more secure.
	162	sp.ini.key("include_path").ro();
	163
	164	## input/output and encoding options
	165	sp.ini.key("input_encoding").ro();
	166	sp.ini.key("internal_encoding").ro();
	167	sp.ini.key("output_encoding").ro();
	168	sp.ini.key("output_buffering").min("0").max("4096").rw();
	169	sp.ini.key("output_handler").ro();
	170
	171	## mail options
	172	#sp.ini.key("mail.add_x_header").set("0").ro();
	173	#sp.ini.key("mail.force_extra_parameters").set("").ro();
	174	#sp.ini.key("mail.log").set("").ro();
	175	## windows smtp options
	176	#sp.ini.key("SMTP").set("localhost").ro();
	177	#sp.ini.key("smtp_port").set("25").ro();
	178	#sp.ini.key("sendmail_from").ro();
	179
	180	## mysqli/mysqlnd options
	181	@condition extension_loaded("mysqli");
	182	sp.ini.key("mysqli.allow_local_infile").ro();
	183	sp.ini.key("mysqli.allow_persistent").ro();
	184	sp.ini.key("mysqli.default_host").ro();
	185	sp.ini.key("mysqli.default_port").ro();
	186	sp.ini.key("mysqli.default_pw").ro();
	187	sp.ini.key("mysqli.default_socket").ro();
	188	sp.ini.key("mysqli.default_user").ro();
	189	sp.ini.key("mysqli.max_links").set("-1").ro();
	190	sp.ini.key("mysqli.max_persistent").set("-1").ro();
	191	sp.ini.key("mysqli.reconnect").set("0").ro();
	192	sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
	193	@condition extension_loaded("mysqlnd");
	194	sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
	195	sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
	196	sp.ini.key("mysqlnd.debug").set("").ro();
	197	sp.ini.key("mysqlnd.log_mask").set("0").ro();
	198	sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
	199	sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
	200	sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
	201	sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
	202	sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
	203	sp.ini.key("mysqlnd.trace_alloc").set("").ro();
	204	@condition extension_loaded("mysqlnd") && PHP_VERSION_ID < 80100;
	205	sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
	206	@end_condition;
	207
	208	## open basedir is a security feature similar to chroot.
	209	## why should it be allowed to disable this feature during runtime?
	210	sp.ini.key("open_basedir").ro();
	211
	212	## pcre options
	213	@condition extension_loaded("pcre");
	214	sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
	215	sp.ini.key("pcre.jit").rw();
	216	sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
	217	@end_condition;
	218
	219	## phar options
	220	@condition extension_loaded("phar");
	221	sp.ini.key("phar.cache_list").ro();
	222	sp.ini.key("phar.readonly").ro();
	223	sp.ini.key("phar.require_hash").ro();
	224	@end_condition;
	225
	226	## session options
	227	@condition extension_loaded("session");
	228	#sp.ini.key("session.auto_start").set("0").ro();
	229	#sp.ini.key("session.cache_expire").set("180").ro();
	230	#sp.ini.key("session.cache_limiter").set("nocache").ro();
	231	#sp.ini.key("session.cookie_domain").set("").ro();
	232	#sp.ini.key("session.cookie_httponly").set("0").ro();
	233	#sp.ini.key("session.cookie_lifetime").set("0").ro();
	234	#sp.ini.key("session.cookie_path").set("/").ro();
	235	#sp.ini.key("session.cookie_samesite").set("").ro();
	236	#sp.ini.key("session.cookie_secure").set("0").ro();
	237	#sp.ini.key("session.gc_divisor").set("100").ro();
	238	#sp.ini.key("session.gc_maxlifetime").set("1440").ro();
	239	#sp.ini.key("session.gc_probability").set("1").ro();
	240	#sp.ini.key("session.lazy_write").set("1").ro();
	241	#sp.ini.key("session.name").set("PHPSESSID").ro();
	242	#sp.ini.key("session.referer_check").set("").ro();
	243	#sp.ini.key("session.save_handler").set("files").ro();
	244	#sp.ini.key("session.save_path").set("").ro();
	245	#sp.ini.key("session.serialize_handler").set("php").ro();
	246	#sp.ini.key("session.sid_bits_per_character").set("4").ro();
	247	sp.ini.key("session.sid_length").min("32").max("128").rw();
	248	#sp.ini.key("session.trans_sid_hosts").set("").ro();
	249	#sp.ini.key("session.trans_sid_tags").set("a=href,area=href,frame=src,form=").ro();
	250	#sp.ini.key("session.upload_progress.cleanup").set("1").ro();
	251	#sp.ini.key("session.upload_progress.enabled").set("1").ro();
	252	#sp.ini.key("session.upload_progress.freq").set("1%").ro();
	253	#sp.ini.key("session.upload_progress.min_freq").set("1").ro();
	254	#sp.ini.key("session.upload_progress.name").set("PHP_SESSION_UPLOAD_PROGRESS").ro();
	255	#sp.ini.key("session.upload_progress.prefix").set("upload_progress_").ro();
	256	#sp.ini.key("session.use_cookies").set("1").ro();
	257	#sp.ini.key("session.use_only_cookies").set("1").ro();
	258	#sp.ini.key("session.use_strict_mode").set("0").ro();
	259	#sp.ini.key("session.use_trans_sid").set("0").ro();
	260	@end_condition;
	261
	262	## allow setting the user agent
	263	sp.ini.key("user_agent").rw();
	264
	265	## allow setting the xmlrpc fault code
	266	sp.ini.key("xmlrpc_error_number").rw();
	267
	268	## these ini entries can only be set by php.ini anyway,
	269	## but better set them to read-only anyway, just to be sure.
	270	sp.ini.key("disable_classes").ro();
	271	sp.ini.key("disable_functions").ro();
	272	sp.ini.key("doc_root").ro();
	273	sp.ini.key("extension_dir").ro();
	274	sp.ini.key("file_uploads").ro();
	275	sp.ini.key("hard_timeout").ro();
	276	sp.ini.key("realpath_cache_size").ro();
	277	sp.ini.key("realpath_cache_ttl").ro();
	278	sp.ini.key("sendmail_path").ro();
	279	@condition extension_loaded("sqlite3");
	280	sp.ini.key("sqlite3.defensive").ro();
	281	sp.ini.key("sqlite3.extension_dir").ro();
	282	@end_condition;
	283	sp.ini.key("sys_temp_dir").ro();
	284	sp.ini.key("syslog.facility").ro();
	285	sp.ini.key("syslog.ident").ro();
	286	sp.ini.key("upload_tmp_dir").ro();
	287	sp.ini.key("user_dir").ro();
	288	sp.ini.key("user_ini.cache_ttl").ro();
	289	sp.ini.key("user_ini.filename").ro();
	290	sp.ini.key("zend.assertions").ro();
	291	sp.ini.key("zend.signal_check").set("0").ro();