From e399c93db185bfd95ff003dd89e2af49462bf8b6 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Fri, 6 Aug 2021 22:43:37 +0200
Subject: default ruleset for ini protection feature

---
 config/ini_protection.php8.rules | 257 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 257 insertions(+)
 create mode 100644 config/ini_protection.php8.rules

(limited to 'config')

diff --git a/config/ini_protection.php8.rules b/config/ini_protection.php8.rules
new file mode 100644
index 0000000..081048f
--- /dev/null
+++ b/config/ini_protection.php8.rules
@@ -0,0 +1,257 @@
+## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
+sp.ini_protection.enable();
+
+## access policy can be one of
+## .policy_readonly(): All entries are read-only by default.
+##    Individual entries can be set read-write using .readwrite() or .rw()
+## .policy_readwrite(): This is the default and can be omitted.
+##    Individual entries can be set read-only using .readonly() or .ro()
+#sp.ini_protection.policy_readonly();
+
+## sp.ini entries can have the following attributes
+## .key("..."): mandatory ini name.
+## .set("..."): set the value. This overrides php.ini.
+## .min("...") / .max("..."): value must be an integer between .min and .max.
+##    shorthand notation (e.g. 1k = 1024) is allowed
+## .regexp("..."): value must match the regular expression
+## .msg("..."): message is shown in logs on rule violation instead of default message
+## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
+##    If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
+
+## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
+sp.ini.key("display_errors").set("0").ro();
+sp.ini.key("display_startup_errors").set("0").ro();
+sp.ini.key("expose_php").set("0").ro();
+## FOR DEVELOPMENT/TESTING: allow enabling error messages and version numbers
+#sp.ini.key("display_errors").rw();
+#sp.ini.key("display_startup_errors").rw();
+#sp.ini.key("expose_php").rw();
+
+## error logging options should not be set during runtime -> read-only.
+sp.ini.key("error_log").ro();
+sp.ini.key("error_reporting").ro();
+sp.ini.key("log_errors").ro();
+sp.ini.key("log_errors_max_len").set("2048").ro();
+sp.ini.key("ignore_repeated_errors").ro();
+sp.ini.key("ignore_repeated_source").ro();
+sp.ini.key("syslog.filter").ro();
+
+## disable assert. assert() in PHP can evaluate arbitrary code just like eval()
+sp.ini.key("assert.active").set("0").ro();
+sp.ini.key("assert.bail").ro();
+sp.ini.key("assert.callback").ro();
+sp.ini.key("assert.exception").ro();
+sp.ini.key("assert.warning").ro();
+
+## enforce color codes. prevents potential XSS
+sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.default").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.html").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.keyword").regexp("^#[0-9a-fA-F]{6}$");
+sp.ini.key("highlight.string").regexp("^#[0-9a-fA-F]{6}$");
+
+## prevent remote access via fopen/include
+sp.ini.key("allow_url_fopen").set("0").ro();
+sp.ini.key("allow_url_include").set("0").ro();
+
+## prevent code execution from auto-included files
+sp.ini.key("auto_append_file").ro();
+sp.ini.key("auto_prepend_file").ro();
+
+## make rarely used features read-only. you can always set the value in php.ini
+sp.ini.key("arg_separator.input").ro();
+sp.ini.key("arg_separator.output").ro();
+sp.ini.key("auto_detect_line_endings").ro();
+sp.ini.key("auto_globals_jit").ro();
+sp.ini.key("browscap").ro();
+sp.ini.key("default_charset").ro();
+sp.ini.key("register_argc_argv").ro();
+sp.ini.key("report_memleaks").ro();
+sp.ini.key("report_zend_debug").ro();
+sp.ini.key("request_order").ro();
+sp.ini.key("url_rewriter.hosts").ro();
+sp.ini.key("url_rewriter.tags").ro();
+sp.ini.key("variables_order").ro();
+sp.ini.key("from").ro();
+sp.ini.key("short_open_tag").ro();
+sp.ini.key("unserialize_callback_func").ro();
+sp.ini.key("zend.detect_unicode").ro();
+sp.ini.key("zend.enable_gc").ro();
+sp.ini.key("zend.exception_ignore_args").ro();
+sp.ini.key("zend.exception_string_param_max_len").ro();
+sp.ini.key("zend.multibyte").ro();
+sp.ini.key("zend.script_encoding").ro();
+
+## date and timezone settings
+#sp.ini.key("date.default_latitude").set("31.7667").ro();
+#sp.ini.key("date.default_longitude").set("35.2333").ro();
+#sp.ini.key("date.sunrise_zenith").set("90.833333").ro();
+#sp.ini.key("date.sunset_zenith").set("90.833333").ro();
+#sp.ini.key("date.timezone").set("").ro();
+
+## setting a default mime type other than text/html can be a way to prevent XSS, so this will be set to read-write by default
+sp.ini.key("default_mimetype").rw();
+
+## allow reasonable socket timeouts
+sp.ini.key("default_socket_timeout").min("1").max("300").rw();
+
+## disable dynamic loading of PHP extensions in an apache/mod_php environment as it is a security risk.
+sp.ini.key("enable_dl").set("0").ro();
+
+## links to manual pages in error pages should not be set during runtime.
+sp.ini.key("docref_ext").ro();
+sp.ini.key("docref_root").ro();
+sp.ini.key("html_errors").set("0").ro();
+
+## preventing $_POST and $_FILES to be populated can be a security feature, so read-write is ok.
+sp.ini.key("enable_post_data_reading").rw();
+
+## disable error append/prepend which may lead to log forging.
+sp.ini.key("error_append_string").ro();
+sp.ini.key("error_prepend_string").set("").ro();
+
+## restrict limit settings to prevent Denial-of-Service
+sp.ini.key("max_execution_time").min("30").max("600").rw();
+sp.ini.key("max_file_uploads").min("0").max("25").rw();
+sp.ini.key("max_input_nesting_level").min("16").max("64").rw();
+sp.ini.key("max_input_time").set("-1").ro();
+sp.ini.key("max_input_vars").min("0").max("1024").rw();
+sp.ini.key("memory_limit").min("4M").max("256M").rw();
+sp.ini.key("post_max_size").max("256M").rw();
+sp.ini.key("upload_max_filesize").max("256M").rw();
+sp.ini.key("precision").max("14").rv();
+sp.ini.key("unserialize_max_depth").min("128").max("4096").rw();
+sp.ini.key("serialize_precision").ro();
+
+## some applications rely on these filters for security
+## even though they should implement proper input validation for each input field separately.
+sp.ini.key("filter.default").rw();
+sp.ini.key("filter.default_flags").rw();
+
+## scripts will not be terminated after a client has aborted their connection.
+## this feature may be needed for some time consuming server-side calculation
+sp.ini.key("ignore_user_abort").rw();
+
+## flushing may be needed
+sp.ini.key("implicit_flush").rw();
+
+## this feature may be required for some frameworks to work properly,
+## but setting the include path to a fixed value is always more secure.
+sp.ini.key("include_path").ro();
+
+## input/output and encoding options
+sp.ini.key("input_encoding").ro();
+sp.ini.key("internal_encoding").ro();
+sp.ini.key("output_encoding").ro();
+sp.ini.key("output_buffering").min("0").max("4096").rw();
+sp.ini.key("output_handler").ro();
+
+## mail options
+#sp.ini.key("mail.add_x_header").set("0").ro();
+#sp.ini.key("mail.force_extra_parameters").set("").ro();
+#sp.ini.key("mail.log").set("").ro();
+## windows smtp options
+#sp.ini.key("SMTP").set("localhost").ro();
+#sp.ini.key("smtp_port").set("25").ro();
+#sp.ini.key("sendmail_from").ro();
+
+## mysqli/mysqlnd options
+#sp.ini.key("mysqli.allow_local_infile").ro();
+#sp.ini.key("mysqli.allow_persistent").ro();
+#sp.ini.key("mysqli.default_host").ro();
+#sp.ini.key("mysqli.default_port").ro();
+#sp.ini.key("mysqli.default_pw").ro();
+#sp.ini.key("mysqli.default_socket").ro();
+#sp.ini.key("mysqli.default_user").ro();
+#sp.ini.key("mysqli.max_links").set("-1").ro();
+#sp.ini.key("mysqli.max_persistent").set("-1").ro();
+#sp.ini.key("mysqli.reconnect").set("0").ro();
+#sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
+#sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
+#sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
+#sp.ini.key("mysqlnd.debug").set("").ro();
+#sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
+#sp.ini.key("mysqlnd.log_mask").set("0").ro();
+#sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
+#sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
+#sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
+#sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
+#sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
+#sp.ini.key("mysqlnd.trace_alloc").set("").ro();
+
+## open basedir is a security feature similar to chroot.
+## why should it be allowed to disable this feature during runtime?
+sp.ini.key("open_basedir").ro();
+
+## pcre options
+sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
+sp.ini.key("pcre.jit").rw();
+sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
+
+## phar options
+sp.ini.key("phar.cache_list").ro();
+sp.ini.key("phar.readonly").ro();
+sp.ini.key("phar.require_hash").ro();
+
+## session options
+#sp.ini.key("session.auto_start").set("0").ro();
+#sp.ini.key("session.cache_expire").set("180").ro();
+#sp.ini.key("session.cache_limiter").set("nocache").ro();
+#sp.ini.key("session.cookie_domain").set("").ro();
+#sp.ini.key("session.cookie_httponly").set("0").ro();
+#sp.ini.key("session.cookie_lifetime").set("0").ro();
+#sp.ini.key("session.cookie_path").set("/").ro();
+#sp.ini.key("session.cookie_samesite").set("").ro();
+#sp.ini.key("session.cookie_secure").set("0").ro();
+#sp.ini.key("session.gc_divisor").set("100").ro();
+#sp.ini.key("session.gc_maxlifetime").set("1440").ro();
+#sp.ini.key("session.gc_probability").set("1").ro();
+#sp.ini.key("session.lazy_write").set("1").ro();
+#sp.ini.key("session.name").set("PHPSESSID").ro();
+#sp.ini.key("session.referer_check").set("").ro();
+#sp.ini.key("session.save_handler").set("files").ro();
+#sp.ini.key("session.save_path").set("").ro();
+#sp.ini.key("session.serialize_handler").set("php").ro();
+#sp.ini.key("session.sid_bits_per_character").set("4").ro();
+sp.ini.key("session.sid_length").min("32").max("128").rw();
+#sp.ini.key("session.trans_sid_hosts").set("").ro();
+#sp.ini.key("session.trans_sid_tags").set("a=href,area=href,frame=src,form=").ro();
+#sp.ini.key("session.upload_progress.cleanup").set("1").ro();
+#sp.ini.key("session.upload_progress.enabled").set("1").ro();
+#sp.ini.key("session.upload_progress.freq").set("1%").ro();
+#sp.ini.key("session.upload_progress.min_freq").set("1").ro();
+#sp.ini.key("session.upload_progress.name").set("PHP_SESSION_UPLOAD_PROGRESS").ro();
+#sp.ini.key("session.upload_progress.prefix").set("upload_progress_").ro();
+#sp.ini.key("session.use_cookies").set("1").ro();
+#sp.ini.key("session.use_only_cookies").set("1").ro();
+#sp.ini.key("session.use_strict_mode").set("0").ro();
+#sp.ini.key("session.use_trans_sid").set("0").ro();
+
+## allow setting the user agent
+sp.ini.key("user_agent").rw();
+
+## allow setting the xmlrpc fault code
+sp.ini.key("xmlrpc_error_number").rw();
+
+## these ini entries can only be set by php.ini anyway,
+## but better set them to read-only anyway, just to be sure.
+sp.ini.key("disable_classes").ro();
+sp.ini.key("disable_functions").ro();
+sp.ini.key("doc_root").ro();
+sp.ini.key("extension_dir").ro();
+sp.ini.key("file_uploads").ro();
+sp.ini.key("hard_timeout").ro();
+sp.ini.key("realpath_cache_size").ro();
+sp.ini.key("realpath_cache_ttl").ro();
+sp.ini.key("sendmail_path").ro();
+sp.ini.key("sqlite3.defensive").ro();
+sp.ini.key("sqlite3.extension_dir").ro();
+sp.ini.key("sys_temp_dir").set("").ro();
+sp.ini.key("syslog.facility").ro();
+sp.ini.key("syslog.ident").ro();
+sp.ini.key("upload_tmp_dir").ro();
+sp.ini.key("user_dir").ro();
+sp.ini.key("user_ini.cache_ttl").ro();
+sp.ini.key("user_ini.filename").ro();
+sp.ini.key("zend.assertions").ro();
+sp.ini.key("zend.signal_check").set("0").ro();
-- 
cgit v1.3