From bd8b5bb241ca359b65c1a3717c9905d034b9703b Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Sat, 7 Aug 2021 15:56:57 +0200
Subject: more ini protection features

---
 config/ini_protection.php8.rules | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'config/ini_protection.php8.rules')

diff --git a/config/ini_protection.php8.rules b/config/ini_protection.php8.rules
index 081048f..b4ddb30 100644
--- a/config/ini_protection.php8.rules
+++ b/config/ini_protection.php8.rules
@@ -1,6 +1,20 @@
 ## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
 sp.ini_protection.enable();
 
+## simulation mode: only log violations
+#sp.ini_protection.simulation();
+
+## drop policy: drop request on rule violation
+#sp.ini_protection.policy_drop();
+
+## do not log violations.
+## this setting has no effect in simulation or drop mode
+#sp.ini_protection.policy_silent_fail();
+
+## do not log read-only violations
+## this setting has no effect in simulation or drop mode
+sp.ini_protection.policy_silent_ro();
+
 ## access policy can be one of
 ## .policy_readonly(): All entries are read-only by default.
 ##    Individual entries can be set read-write using .readwrite() or .rw()
@@ -10,13 +24,17 @@ sp.ini_protection.enable();
 
 ## sp.ini entries can have the following attributes
 ## .key("..."): mandatory ini name.
-## .set("..."): set the value. This overrides php.ini.
+## .set("..."): set the initial value. This overrides php.ini.
+##    checks are not performed for this initial value.
 ## .min("...") / .max("..."): value must be an integer between .min and .max.
 ##    shorthand notation (e.g. 1k = 1024) is allowed
 ## .regexp("..."): value must match the regular expression
+## .allow_null(): allow setting a NULL-value
 ## .msg("..."): message is shown in logs on rule violation instead of default message
 ## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
 ##    If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
+## .drop(): drop request on rule violation for this entry
+## .simulation(): only log rule violation for this entry
 
 ## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
 sp.ini.key("display_errors").set("0").ro();
-- 
cgit v1.3