summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorBen Fuhrmannek2022-01-10 16:22:44 +0100
committerBen Fuhrmannek2022-01-10 16:22:44 +0100
commitf4afb2a0396251f45a31f470cb6ad916671a9686 (patch)
treeaa18848d9cea8e657d269157f509a5ffe379411b /config
parent55264b198337e93f23a0dd63c0f12e30f32876d7 (diff)
added conditions to ini protection example
Diffstat (limited to 'config')
-rw-r--r--config/ini_protection.php8.rules62
1 files changed, 39 insertions, 23 deletions
diff --git a/config/ini_protection.php8.rules b/config/ini_protection.php8.rules
index 175f527..bde5815 100644
--- a/config/ini_protection.php8.rules
+++ b/config/ini_protection.php8.rules
@@ -49,7 +49,9 @@ sp.ini.key("expose_php").set("0").ro();
49sp.ini.key("error_log").ro(); 49sp.ini.key("error_log").ro();
50sp.ini.key("error_reporting").ro(); 50sp.ini.key("error_reporting").ro();
51sp.ini.key("log_errors").ro(); 51sp.ini.key("log_errors").ro();
52@condition PHP_VERSION_ID < 80000;
52sp.ini.key("log_errors_max_len").set("2048").ro(); 53sp.ini.key("log_errors_max_len").set("2048").ro();
54@end_condition;
53sp.ini.key("ignore_repeated_errors").ro(); 55sp.ini.key("ignore_repeated_errors").ro();
54sp.ini.key("ignore_repeated_source").ro(); 56sp.ini.key("ignore_repeated_source").ro();
55sp.ini.key("syslog.filter").ro(); 57sp.ini.key("syslog.filter").ro();
@@ -143,8 +145,10 @@ sp.ini.key("serialize_precision").ro();
143 145
144## some applications rely on these filters for security 146## some applications rely on these filters for security
145## even though they should implement proper input validation for each input field separately. 147## even though they should implement proper input validation for each input field separately.
148@condition extension_loaded("filter");
146sp.ini.key("filter.default").rw(); 149sp.ini.key("filter.default").rw();
147sp.ini.key("filter.default_flags").rw(); 150sp.ini.key("filter.default_flags").rw();
151@end_condition;
148 152
149## scripts will not be terminated after a client has aborted their connection. 153## scripts will not be terminated after a client has aborted their connection.
150## this feature may be needed for some time consuming server-side calculation 154## this feature may be needed for some time consuming server-side calculation
@@ -174,44 +178,53 @@ sp.ini.key("output_handler").ro();
174#sp.ini.key("sendmail_from").ro(); 178#sp.ini.key("sendmail_from").ro();
175 179
176## mysqli/mysqlnd options 180## mysqli/mysqlnd options
177#sp.ini.key("mysqli.allow_local_infile").ro(); 181@condition extension_loaded("mysqli");
178#sp.ini.key("mysqli.allow_persistent").ro(); 182sp.ini.key("mysqli.allow_local_infile").ro();
179#sp.ini.key("mysqli.default_host").ro(); 183sp.ini.key("mysqli.allow_persistent").ro();
180#sp.ini.key("mysqli.default_port").ro(); 184sp.ini.key("mysqli.default_host").ro();
181#sp.ini.key("mysqli.default_pw").ro(); 185sp.ini.key("mysqli.default_port").ro();
182#sp.ini.key("mysqli.default_socket").ro(); 186sp.ini.key("mysqli.default_pw").ro();
183#sp.ini.key("mysqli.default_user").ro(); 187sp.ini.key("mysqli.default_socket").ro();
184#sp.ini.key("mysqli.max_links").set("-1").ro(); 188sp.ini.key("mysqli.default_user").ro();
185#sp.ini.key("mysqli.max_persistent").set("-1").ro(); 189sp.ini.key("mysqli.max_links").set("-1").ro();
186#sp.ini.key("mysqli.reconnect").set("0").ro(); 190sp.ini.key("mysqli.max_persistent").set("-1").ro();
187#sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro(); 191sp.ini.key("mysqli.reconnect").set("0").ro();
188#sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro(); 192sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
189#sp.ini.key("mysqlnd.collect_statistics").set("1").ro(); 193@condition extension_loaded("mysqlnd");
190#sp.ini.key("mysqlnd.debug").set("").ro(); 194sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
191#sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro(); 195sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
192#sp.ini.key("mysqlnd.log_mask").set("0").ro(); 196sp.ini.key("mysqlnd.debug").set("").ro();
193#sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro(); 197sp.ini.key("mysqlnd.log_mask").set("0").ro();
194#sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro(); 198sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
195#sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro(); 199sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
196#sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro(); 200sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
197#sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro(); 201sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
198#sp.ini.key("mysqlnd.trace_alloc").set("").ro(); 202sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
203sp.ini.key("mysqlnd.trace_alloc").set("").ro();
204@condition extension_loaded("mysqlnd") && PHP_VERSION_ID < 80100;
205sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
206@end_condition;
199 207
200## open basedir is a security feature similar to chroot. 208## open basedir is a security feature similar to chroot.
201## why should it be allowed to disable this feature during runtime? 209## why should it be allowed to disable this feature during runtime?
202sp.ini.key("open_basedir").ro(); 210sp.ini.key("open_basedir").ro();
203 211
204## pcre options 212## pcre options
213@condition extension_loaded("pcre");
205sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw(); 214sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
206sp.ini.key("pcre.jit").rw(); 215sp.ini.key("pcre.jit").rw();
207sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro(); 216sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
217@end_condition;
208 218
209## phar options 219## phar options
220@condition extension_loaded("phar");
210sp.ini.key("phar.cache_list").ro(); 221sp.ini.key("phar.cache_list").ro();
211sp.ini.key("phar.readonly").ro(); 222sp.ini.key("phar.readonly").ro();
212sp.ini.key("phar.require_hash").ro(); 223sp.ini.key("phar.require_hash").ro();
224@end_condition;
213 225
214## session options 226## session options
227@condition extension_loaded("session");
215#sp.ini.key("session.auto_start").set("0").ro(); 228#sp.ini.key("session.auto_start").set("0").ro();
216#sp.ini.key("session.cache_expire").set("180").ro(); 229#sp.ini.key("session.cache_expire").set("180").ro();
217#sp.ini.key("session.cache_limiter").set("nocache").ro(); 230#sp.ini.key("session.cache_limiter").set("nocache").ro();
@@ -244,6 +257,7 @@ sp.ini.key("session.sid_length").min("32").max("128").rw();
244#sp.ini.key("session.use_only_cookies").set("1").ro(); 257#sp.ini.key("session.use_only_cookies").set("1").ro();
245#sp.ini.key("session.use_strict_mode").set("0").ro(); 258#sp.ini.key("session.use_strict_mode").set("0").ro();
246#sp.ini.key("session.use_trans_sid").set("0").ro(); 259#sp.ini.key("session.use_trans_sid").set("0").ro();
260@end_condition;
247 261
248## allow setting the user agent 262## allow setting the user agent
249sp.ini.key("user_agent").rw(); 263sp.ini.key("user_agent").rw();
@@ -262,9 +276,11 @@ sp.ini.key("hard_timeout").ro();
262sp.ini.key("realpath_cache_size").ro(); 276sp.ini.key("realpath_cache_size").ro();
263sp.ini.key("realpath_cache_ttl").ro(); 277sp.ini.key("realpath_cache_ttl").ro();
264sp.ini.key("sendmail_path").ro(); 278sp.ini.key("sendmail_path").ro();
279@condition extension_loaded("sqlite3");
265sp.ini.key("sqlite3.defensive").ro(); 280sp.ini.key("sqlite3.defensive").ro();
266sp.ini.key("sqlite3.extension_dir").ro(); 281sp.ini.key("sqlite3.extension_dir").ro();
267sp.ini.key("sys_temp_dir").set("").ro(); 282@end_condition;
283sp.ini.key("sys_temp_dir").ro();
268sp.ini.key("syslog.facility").ro(); 284sp.ini.key("syslog.facility").ro();
269sp.ini.key("syslog.ident").ro(); 285sp.ini.key("syslog.ident").ro();
270sp.ini.key("upload_tmp_dir").ro(); 286sp.ini.key("upload_tmp_dir").ro();