default ruleset for ini protection feature

author: Ben Fuhrmannek 2021-08-06 22:43:37 +0200
committer: Ben Fuhrmannek 2021-08-06 22:43:37 +0200
commit: e399c93db185bfd95ff003dd89e2af49462bf8b6 (patch)
tree: 27f8bb6251e15156c0d3d426c2b084bab3b6133d /config
parent: 2392c46836ceea520fa2a45369c8d638aadb943c (diff)
1 files changed, 257 insertions, 0 deletions
diff --git a/config/ini_protection.php8.rules b/config/ini_protection.php8.rules
new file mode 100644
index 0000000..081048f
--- /dev/null
+++ b/config/ini_protection.php8.rules
@@ -0,0 +1,257 @@
+## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
+sp.ini_protection.enable();
+## access policy can be one of
+## .policy_readonly(): All entries are read-only by default.
+##    Individual entries can be set read-write using .readwrite() or .rw()
+## .policy_readwrite(): This is the default and can be omitted.
+##    Individual entries can be set read-only using .readonly() or .ro()
+#sp.ini_protection.policy_readonly();
+## sp.ini entries can have the following attributes
+## .key("..."): mandatory ini name.
+## .set("..."): set the value. This overrides php.ini.
+## .min("...") / .max("..."): value must be an integer between .min and .max.
+##    shorthand notation (e.g. 1k = 1024) is allowed
+## .regexp("..."): value must match the regular expression
+## .msg("..."): message is shown in logs on rule violation instead of default message
+## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
+##    If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
+## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
+sp.ini.key("display_errors").set("0").ro();
+sp.ini.key("display_startup_errors").set("0").ro();
+sp.ini.key("expose_php").set("0").ro();
+## FOR DEVELOPMENT/TESTING: allow enabling error messages and version numbers
+#sp.ini.key("display_errors").rw();
+#sp.ini.key("display_startup_errors").rw();
+#sp.ini.key("expose_php").rw();
+## error logging options should not be set during runtime -> read-only.
+sp.ini.key("error_log").ro();
+sp.ini.key("error_reporting").ro();
+sp.ini.key("log_errors").ro();
+sp.ini.key("log_errors_max_len").set("2048").ro();
+sp.ini.key("ignore_repeated_errors").ro();
+sp.ini.key("ignore_repeated_source").ro();
+sp.ini.key("syslog.filter").ro();
+## disable assert. assert() in PHP can evaluate arbitrary code just like eval()
+sp.ini.key("assert.active").set("0").ro();
+sp.ini.key("assert.bail").ro();
+sp.ini.key("assert.callback").ro();
+sp.ini.key("assert.exception").ro();
+sp.ini.key("assert.warning").ro();
+## enforce color codes. prevents potential XSS
+sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.default").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.html").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.keyword").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.string").regexp("^#[0-9a-fA-F]{6}$");
+## prevent remote access via fopen/include
+sp.ini.key("allow_url_fopen").set("0").ro();
+sp.ini.key("allow_url_include").set("0").ro();
+## prevent code execution from auto-included files
+sp.ini.key("auto_append_file").ro();
+sp.ini.key("auto_prepend_file").ro();
+## make rarely used features read-only. you can always set the value in php.ini
+sp.ini.key("arg_separator.input").ro();
+sp.ini.key("arg_separator.output").ro();
+sp.ini.key("auto_detect_line_endings").ro();
+sp.ini.key("auto_globals_jit").ro();
+sp.ini.key("browscap").ro();
+sp.ini.key("default_charset").ro();
+sp.ini.key("register_argc_argv").ro();
+sp.ini.key("report_memleaks").ro();
+sp.ini.key("report_zend_debug").ro();
+sp.ini.key("request_order").ro();
+sp.ini.key("url_rewriter.hosts").ro();
+sp.ini.key("url_rewriter.tags").ro();
+sp.ini.key("variables_order").ro();
+sp.ini.key("from").ro();
+sp.ini.key("short_open_tag").ro();
+sp.ini.key("unserialize_callback_func").ro();
+sp.ini.key("zend.detect_unicode").ro();
+sp.ini.key("zend.enable_gc").ro();
+sp.ini.key("zend.exception_ignore_args").ro();
+sp.ini.key("zend.exception_string_param_max_len").ro();
+sp.ini.key("zend.multibyte").ro();
+sp.ini.key("zend.script_encoding").ro();
+## date and timezone settings
+#sp.ini.key("date.default_latitude").set("31.7667").ro();
+#sp.ini.key("date.default_longitude").set("35.2333").ro();
+#sp.ini.key("date.sunrise_zenith").set("90.833333").ro();
+#sp.ini.key("date.sunset_zenith").set("90.833333").ro();
+#sp.ini.key("date.timezone").set("").ro();
+## setting a default mime type other than text/html can be a way to prevent XSS, so this will be set to read-write by default
+sp.ini.key("default_mimetype").rw();
+## allow reasonable socket timeouts
+sp.ini.key("default_socket_timeout").min("1").max("300").rw();
+## disable dynamic loading of PHP extensions in an apache/mod_php environment as it is a security risk.
+sp.ini.key("enable_dl").set("0").ro();
+## links to manual pages in error pages should not be set during runtime.
+sp.ini.key("docref_ext").ro();
+sp.ini.key("docref_root").ro();
+sp.ini.key("html_errors").set("0").ro();
+## preventing $_POST and $_FILES to be populated can be a security feature, so read-write is ok.
+sp.ini.key("enable_post_data_reading").rw();
+## disable error append/prepend which may lead to log forging.
+sp.ini.key("error_append_string").ro();
+sp.ini.key("error_prepend_string").set("").ro();
+## restrict limit settings to prevent Denial-of-Service
+sp.ini.key("max_execution_time").min("30").max("600").rw();
+sp.ini.key("max_file_uploads").min("0").max("25").rw();
+sp.ini.key("max_input_nesting_level").min("16").max("64").rw();
+sp.ini.key("max_input_time").set("-1").ro();
+sp.ini.key("max_input_vars").min("0").max("1024").rw();
+sp.ini.key("memory_limit").min("4M").max("256M").rw();
+sp.ini.key("post_max_size").max("256M").rw();
+sp.ini.key("upload_max_filesize").max("256M").rw();
+sp.ini.key("precision").max("14").rv();
+sp.ini.key("unserialize_max_depth").min("128").max("4096").rw();
+sp.ini.key("serialize_precision").ro();
+## some applications rely on these filters for security
+## even though they should implement proper input validation for each input field separately.
+sp.ini.key("filter.default").rw();
+sp.ini.key("filter.default_flags").rw();
+## scripts will not be terminated after a client has aborted their connection.
+## this feature may be needed for some time consuming server-side calculation
+sp.ini.key("ignore_user_abort").rw();
+## flushing may be needed
+sp.ini.key("implicit_flush").rw();
+## this feature may be required for some frameworks to work properly,
+## but setting the include path to a fixed value is always more secure.
+sp.ini.key("include_path").ro();
+## input/output and encoding options
+sp.ini.key("input_encoding").ro();
+sp.ini.key("internal_encoding").ro();
+sp.ini.key("output_encoding").ro();
+sp.ini.key("output_buffering").min("0").max("4096").rw();
+sp.ini.key("output_handler").ro();
+## mail options
+#sp.ini.key("mail.add_x_header").set("0").ro();
+#sp.ini.key("mail.force_extra_parameters").set("").ro();
+#sp.ini.key("mail.log").set("").ro();
+## windows smtp options
+#sp.ini.key("SMTP").set("localhost").ro();
+#sp.ini.key("smtp_port").set("25").ro();
+#sp.ini.key("sendmail_from").ro();
+## mysqli/mysqlnd options
+#sp.ini.key("mysqli.allow_local_infile").ro();
+#sp.ini.key("mysqli.allow_persistent").ro();
+#sp.ini.key("mysqli.default_host").ro();
+#sp.ini.key("mysqli.default_port").ro();
+#sp.ini.key("mysqli.default_pw").ro();
+#sp.ini.key("mysqli.default_socket").ro();
+#sp.ini.key("mysqli.default_user").ro();
+#sp.ini.key("mysqli.max_links").set("-1").ro();
+#sp.ini.key("mysqli.max_persistent").set("-1").ro();
+#sp.ini.key("mysqli.reconnect").set("0").ro();
+#sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
+#sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
+#sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
+#sp.ini.key("mysqlnd.debug").set("").ro();
+#sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
+#sp.ini.key("mysqlnd.log_mask").set("0").ro();
+#sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
+#sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
+#sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
+#sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
+#sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
+#sp.ini.key("mysqlnd.trace_alloc").set("").ro();
+## open basedir is a security feature similar to chroot.
+## why should it be allowed to disable this feature during runtime?
+sp.ini.key("open_basedir").ro();
+## pcre options
+sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
+sp.ini.key("pcre.jit").rw();
+sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
+## phar options
+sp.ini.key("phar.cache_list").ro();
+sp.ini.key("phar.readonly").ro();
+sp.ini.key("phar.require_hash").ro();
+## session options
+#sp.ini.key("session.auto_start").set("0").ro();
+#sp.ini.key("session.cache_expire").set("180").ro();
+#sp.ini.key("session.cache_limiter").set("nocache").ro();
+#sp.ini.key("session.cookie_domain").set("").ro();
+#sp.ini.key("session.cookie_httponly").set("0").ro();
+#sp.ini.key("session.cookie_lifetime").set("0").ro();
+#sp.ini.key("session.cookie_path").set("/").ro();
+#sp.ini.key("session.cookie_samesite").set("").ro();
+#sp.ini.key("session.cookie_secure").set("0").ro();
+#sp.ini.key("session.gc_divisor").set("100").ro();
+#sp.ini.key("session.gc_maxlifetime").set("1440").ro();
+#sp.ini.key("session.gc_probability").set("1").ro();
+#sp.ini.key("session.lazy_write").set("1").ro();
+#sp.ini.key("session.name").set("PHPSESSID").ro();
+#sp.ini.key("session.referer_check").set("").ro();
+#sp.ini.key("session.save_handler").set("files").ro();
+#sp.ini.key("session.save_path").set("").ro();
+#sp.ini.key("session.serialize_handler").set("php").ro();
+#sp.ini.key("session.sid_bits_per_character").set("4").ro();
+sp.ini.key("session.sid_length").min("32").max("128").rw();
+#sp.ini.key("session.trans_sid_hosts").set("").ro();
+#sp.ini.key("session.trans_sid_tags").set("a=href,area=href,frame=src,form=").ro();
+#sp.ini.key("session.upload_progress.cleanup").set("1").ro();
+#sp.ini.key("session.upload_progress.enabled").set("1").ro();
+#sp.ini.key("session.upload_progress.freq").set("1%").ro();
+#sp.ini.key("session.upload_progress.min_freq").set("1").ro();
+#sp.ini.key("session.upload_progress.name").set("PHP_SESSION_UPLOAD_PROGRESS").ro();
+#sp.ini.key("session.upload_progress.prefix").set("upload_progress_").ro();
+#sp.ini.key("session.use_cookies").set("1").ro();
+#sp.ini.key("session.use_only_cookies").set("1").ro();
+#sp.ini.key("session.use_strict_mode").set("0").ro();
+#sp.ini.key("session.use_trans_sid").set("0").ro();
+## allow setting the user agent
+sp.ini.key("user_agent").rw();
+## allow setting the xmlrpc fault code
+sp.ini.key("xmlrpc_error_number").rw();
+## these ini entries can only be set by php.ini anyway,
+## but better set them to read-only anyway, just to be sure.
+sp.ini.key("disable_classes").ro();
+sp.ini.key("disable_functions").ro();
+sp.ini.key("doc_root").ro();
+sp.ini.key("extension_dir").ro();
+sp.ini.key("file_uploads").ro();
+sp.ini.key("hard_timeout").ro();
+sp.ini.key("realpath_cache_size").ro();
+sp.ini.key("realpath_cache_ttl").ro();
+sp.ini.key("sendmail_path").ro();
+sp.ini.key("sqlite3.defensive").ro();
+sp.ini.key("sqlite3.extension_dir").ro();
+sp.ini.key("sys_temp_dir").set("").ro();
+sp.ini.key("syslog.facility").ro();
+sp.ini.key("syslog.ident").ro();
+sp.ini.key("upload_tmp_dir").ro();
+sp.ini.key("user_dir").ro();
+sp.ini.key("user_ini.cache_ttl").ro();
+sp.ini.key("user_ini.filename").ro();
+sp.ini.key("zend.assertions").ro();
+sp.ini.key("zend.signal_check").set("0").ro();
author	Ben Fuhrmannek	2021-08-06 22:43:37 +0200
committer	Ben Fuhrmannek	2021-08-06 22:43:37 +0200
commit	e399c93db185bfd95ff003dd89e2af49462bf8b6 (patch)
tree	27f8bb6251e15156c0d3d426c2b084bab3b6133d /config
parent	2392c46836ceea520fa2a45369c8d638aadb943c (diff)

diff --git a/config/ini_protection.php8.rules b/config/ini_protection.php8.rules new file mode 100644 index 0000000..081048f --- /dev/null +++ b/config/ini_protection.php8.rules
@@ -0,0 +1,257 @@
	1	## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
	2	sp.ini_protection.enable();
	3
	4	## access policy can be one of
	5	## .policy_readonly(): All entries are read-only by default.
	6	## Individual entries can be set read-write using .readwrite() or .rw()
	7	## .policy_readwrite(): This is the default and can be omitted.
	8	## Individual entries can be set read-only using .readonly() or .ro()
	9	#sp.ini_protection.policy_readonly();
	10
	11	## sp.ini entries can have the following attributes
	12	## .key("..."): mandatory ini name.
	13	## .set("..."): set the value. This overrides php.ini.
	14	## .min("...") / .max("..."): value must be an integer between .min and .max.
	15	## shorthand notation (e.g. 1k = 1024) is allowed
	16	## .regexp("..."): value must match the regular expression
	17	## .msg("..."): message is shown in logs on rule violation instead of default message
	18	## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
	19	## If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
	20
	21	## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
	22	sp.ini.key("display_errors").set("0").ro();
	23	sp.ini.key("display_startup_errors").set("0").ro();
	24	sp.ini.key("expose_php").set("0").ro();
	25	## FOR DEVELOPMENT/TESTING: allow enabling error messages and version numbers
	26	#sp.ini.key("display_errors").rw();
	27	#sp.ini.key("display_startup_errors").rw();
	28	#sp.ini.key("expose_php").rw();
	29
	30	## error logging options should not be set during runtime -> read-only.
	31	sp.ini.key("error_log").ro();
	32	sp.ini.key("error_reporting").ro();
	33	sp.ini.key("log_errors").ro();
	34	sp.ini.key("log_errors_max_len").set("2048").ro();
	35	sp.ini.key("ignore_repeated_errors").ro();
	36	sp.ini.key("ignore_repeated_source").ro();
	37	sp.ini.key("syslog.filter").ro();
	38
	39	## disable assert. assert() in PHP can evaluate arbitrary code just like eval()
	40	sp.ini.key("assert.active").set("0").ro();
	41	sp.ini.key("assert.bail").ro();
	42	sp.ini.key("assert.callback").ro();
	43	sp.ini.key("assert.exception").ro();
	44	sp.ini.key("assert.warning").ro();
	45
	46	## enforce color codes. prevents potential XSS
	47	sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
	48	sp.ini.key("highlight.default").regexp("^#[0-9a-fA-F]{6}$");
	49	sp.ini.key("highlight.html").regexp("^#[0-9a-fA-F]{6}$");
	50	sp.ini.key("highlight.keyword").regexp("^#[0-9a-fA-F]{6}$");
	51	sp.ini.key("highlight.string").regexp("^#[0-9a-fA-F]{6}$");
	52
	53	## prevent remote access via fopen/include
	54	sp.ini.key("allow_url_fopen").set("0").ro();
	55	sp.ini.key("allow_url_include").set("0").ro();
	56
	57	## prevent code execution from auto-included files
	58	sp.ini.key("auto_append_file").ro();
	59	sp.ini.key("auto_prepend_file").ro();
	60
	61	## make rarely used features read-only. you can always set the value in php.ini
	62	sp.ini.key("arg_separator.input").ro();
	63	sp.ini.key("arg_separator.output").ro();
	64	sp.ini.key("auto_detect_line_endings").ro();
	65	sp.ini.key("auto_globals_jit").ro();
	66	sp.ini.key("browscap").ro();
	67	sp.ini.key("default_charset").ro();
	68	sp.ini.key("register_argc_argv").ro();
	69	sp.ini.key("report_memleaks").ro();
	70	sp.ini.key("report_zend_debug").ro();
	71	sp.ini.key("request_order").ro();
	72	sp.ini.key("url_rewriter.hosts").ro();
	73	sp.ini.key("url_rewriter.tags").ro();
	74	sp.ini.key("variables_order").ro();
	75	sp.ini.key("from").ro();
	76	sp.ini.key("short_open_tag").ro();
	77	sp.ini.key("unserialize_callback_func").ro();
	78	sp.ini.key("zend.detect_unicode").ro();
	79	sp.ini.key("zend.enable_gc").ro();
	80	sp.ini.key("zend.exception_ignore_args").ro();
	81	sp.ini.key("zend.exception_string_param_max_len").ro();
	82	sp.ini.key("zend.multibyte").ro();
	83	sp.ini.key("zend.script_encoding").ro();
	84
	85	## date and timezone settings
	86	#sp.ini.key("date.default_latitude").set("31.7667").ro();
	87	#sp.ini.key("date.default_longitude").set("35.2333").ro();
	88	#sp.ini.key("date.sunrise_zenith").set("90.833333").ro();
	89	#sp.ini.key("date.sunset_zenith").set("90.833333").ro();
	90	#sp.ini.key("date.timezone").set("").ro();
	91
	92	## setting a default mime type other than text/html can be a way to prevent XSS, so this will be set to read-write by default
	93	sp.ini.key("default_mimetype").rw();
	94
	95	## allow reasonable socket timeouts
	96	sp.ini.key("default_socket_timeout").min("1").max("300").rw();
	97
	98	## disable dynamic loading of PHP extensions in an apache/mod_php environment as it is a security risk.
	99	sp.ini.key("enable_dl").set("0").ro();
	100
	101	## links to manual pages in error pages should not be set during runtime.
	102	sp.ini.key("docref_ext").ro();
	103	sp.ini.key("docref_root").ro();
	104	sp.ini.key("html_errors").set("0").ro();
	105
	106	## preventing $_POST and $_FILES to be populated can be a security feature, so read-write is ok.
	107	sp.ini.key("enable_post_data_reading").rw();
	108
	109	## disable error append/prepend which may lead to log forging.
	110	sp.ini.key("error_append_string").ro();
	111	sp.ini.key("error_prepend_string").set("").ro();
	112
	113	## restrict limit settings to prevent Denial-of-Service
	114	sp.ini.key("max_execution_time").min("30").max("600").rw();
	115	sp.ini.key("max_file_uploads").min("0").max("25").rw();
	116	sp.ini.key("max_input_nesting_level").min("16").max("64").rw();
	117	sp.ini.key("max_input_time").set("-1").ro();
	118	sp.ini.key("max_input_vars").min("0").max("1024").rw();
	119	sp.ini.key("memory_limit").min("4M").max("256M").rw();
	120	sp.ini.key("post_max_size").max("256M").rw();
	121	sp.ini.key("upload_max_filesize").max("256M").rw();
	122	sp.ini.key("precision").max("14").rv();
	123	sp.ini.key("unserialize_max_depth").min("128").max("4096").rw();
	124	sp.ini.key("serialize_precision").ro();
	125
	126	## some applications rely on these filters for security
	127	## even though they should implement proper input validation for each input field separately.
	128	sp.ini.key("filter.default").rw();
	129	sp.ini.key("filter.default_flags").rw();
	130
	131	## scripts will not be terminated after a client has aborted their connection.
	132	## this feature may be needed for some time consuming server-side calculation
	133	sp.ini.key("ignore_user_abort").rw();
	134
	135	## flushing may be needed
	136	sp.ini.key("implicit_flush").rw();
	137
	138	## this feature may be required for some frameworks to work properly,
	139	## but setting the include path to a fixed value is always more secure.
	140	sp.ini.key("include_path").ro();
	141
	142	## input/output and encoding options
	143	sp.ini.key("input_encoding").ro();
	144	sp.ini.key("internal_encoding").ro();
	145	sp.ini.key("output_encoding").ro();
	146	sp.ini.key("output_buffering").min("0").max("4096").rw();
	147	sp.ini.key("output_handler").ro();
	148
	149	## mail options
	150	#sp.ini.key("mail.add_x_header").set("0").ro();
	151	#sp.ini.key("mail.force_extra_parameters").set("").ro();
	152	#sp.ini.key("mail.log").set("").ro();
	153	## windows smtp options
	154	#sp.ini.key("SMTP").set("localhost").ro();
	155	#sp.ini.key("smtp_port").set("25").ro();
	156	#sp.ini.key("sendmail_from").ro();
	157
	158	## mysqli/mysqlnd options
	159	#sp.ini.key("mysqli.allow_local_infile").ro();
	160	#sp.ini.key("mysqli.allow_persistent").ro();
	161	#sp.ini.key("mysqli.default_host").ro();
	162	#sp.ini.key("mysqli.default_port").ro();
	163	#sp.ini.key("mysqli.default_pw").ro();
	164	#sp.ini.key("mysqli.default_socket").ro();
	165	#sp.ini.key("mysqli.default_user").ro();
	166	#sp.ini.key("mysqli.max_links").set("-1").ro();
	167	#sp.ini.key("mysqli.max_persistent").set("-1").ro();
	168	#sp.ini.key("mysqli.reconnect").set("0").ro();
	169	#sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
	170	#sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
	171	#sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
	172	#sp.ini.key("mysqlnd.debug").set("").ro();
	173	#sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
	174	#sp.ini.key("mysqlnd.log_mask").set("0").ro();
	175	#sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
	176	#sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
	177	#sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
	178	#sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
	179	#sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
	180	#sp.ini.key("mysqlnd.trace_alloc").set("").ro();
	181
	182	## open basedir is a security feature similar to chroot.
	183	## why should it be allowed to disable this feature during runtime?
	184	sp.ini.key("open_basedir").ro();
	185
	186	## pcre options
	187	sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
	188	sp.ini.key("pcre.jit").rw();
	189	sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
	190
	191	## phar options
	192	sp.ini.key("phar.cache_list").ro();
	193	sp.ini.key("phar.readonly").ro();
	194	sp.ini.key("phar.require_hash").ro();
	195
	196	## session options
	197	#sp.ini.key("session.auto_start").set("0").ro();
	198	#sp.ini.key("session.cache_expire").set("180").ro();
	199	#sp.ini.key("session.cache_limiter").set("nocache").ro();
	200	#sp.ini.key("session.cookie_domain").set("").ro();
	201	#sp.ini.key("session.cookie_httponly").set("0").ro();
	202	#sp.ini.key("session.cookie_lifetime").set("0").ro();
	203	#sp.ini.key("session.cookie_path").set("/").ro();
	204	#sp.ini.key("session.cookie_samesite").set("").ro();
	205	#sp.ini.key("session.cookie_secure").set("0").ro();
	206	#sp.ini.key("session.gc_divisor").set("100").ro();
	207	#sp.ini.key("session.gc_maxlifetime").set("1440").ro();
	208	#sp.ini.key("session.gc_probability").set("1").ro();
	209	#sp.ini.key("session.lazy_write").set("1").ro();
	210	#sp.ini.key("session.name").set("PHPSESSID").ro();
	211	#sp.ini.key("session.referer_check").set("").ro();
	212	#sp.ini.key("session.save_handler").set("files").ro();
	213	#sp.ini.key("session.save_path").set("").ro();
	214	#sp.ini.key("session.serialize_handler").set("php").ro();
	215	#sp.ini.key("session.sid_bits_per_character").set("4").ro();
	216	sp.ini.key("session.sid_length").min("32").max("128").rw();
	217	#sp.ini.key("session.trans_sid_hosts").set("").ro();
	218	#sp.ini.key("session.trans_sid_tags").set("a=href,area=href,frame=src,form=").ro();
	219	#sp.ini.key("session.upload_progress.cleanup").set("1").ro();
	220	#sp.ini.key("session.upload_progress.enabled").set("1").ro();
	221	#sp.ini.key("session.upload_progress.freq").set("1%").ro();
	222	#sp.ini.key("session.upload_progress.min_freq").set("1").ro();
	223	#sp.ini.key("session.upload_progress.name").set("PHP_SESSION_UPLOAD_PROGRESS").ro();
	224	#sp.ini.key("session.upload_progress.prefix").set("upload_progress_").ro();
	225	#sp.ini.key("session.use_cookies").set("1").ro();
	226	#sp.ini.key("session.use_only_cookies").set("1").ro();
	227	#sp.ini.key("session.use_strict_mode").set("0").ro();
	228	#sp.ini.key("session.use_trans_sid").set("0").ro();
	229
	230	## allow setting the user agent
	231	sp.ini.key("user_agent").rw();
	232
	233	## allow setting the xmlrpc fault code
	234	sp.ini.key("xmlrpc_error_number").rw();
	235
	236	## these ini entries can only be set by php.ini anyway,
	237	## but better set them to read-only anyway, just to be sure.
	238	sp.ini.key("disable_classes").ro();
	239	sp.ini.key("disable_functions").ro();
	240	sp.ini.key("doc_root").ro();
	241	sp.ini.key("extension_dir").ro();
	242	sp.ini.key("file_uploads").ro();
	243	sp.ini.key("hard_timeout").ro();
	244	sp.ini.key("realpath_cache_size").ro();
	245	sp.ini.key("realpath_cache_ttl").ro();
	246	sp.ini.key("sendmail_path").ro();
	247	sp.ini.key("sqlite3.defensive").ro();
	248	sp.ini.key("sqlite3.extension_dir").ro();
	249	sp.ini.key("sys_temp_dir").set("").ro();
	250	sp.ini.key("syslog.facility").ro();
	251	sp.ini.key("syslog.ident").ro();
	252	sp.ini.key("upload_tmp_dir").ro();
	253	sp.ini.key("user_dir").ro();
	254	sp.ini.key("user_ini.cache_ttl").ro();
	255	sp.ini.key("user_ini.filename").ro();
	256	sp.ini.key("zend.assertions").ro();
	257	sp.ini.key("zend.signal_check").set("0").ro();