blob: 175f52774e5939e893d4d31a9543fb27bb5d9a95 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
|
## INI protection - prevent unwanted runtime ini changes made by ini_set() or other functions or by .htaccess
sp.ini_protection.enable();
## simulation mode: only log violations
#sp.ini_protection.simulation();
## drop policy: drop request on rule violation
#sp.ini_protection.policy_drop();
## do not log violations.
## this setting has no effect in simulation or drop mode
#sp.ini_protection.policy_silent_fail();
## do not log read-only violations
## this setting has no effect in simulation or drop mode
sp.ini_protection.policy_silent_ro();
## access policy can be one of
## .policy_readonly(): All entries are read-only by default.
## Individual entries can be set read-write using .readwrite() or .rw()
## .policy_readwrite(): This is the default and can be omitted.
## Individual entries can be set read-only using .readonly() or .ro()
#sp.ini_protection.policy_readonly();
## sp.ini entries can have the following attributes
## .key("..."): mandatory ini name.
## .set("..."): set the initial value. This overrides php.ini.
## checks are not performed for this initial value.
## .min("...") / .max("..."): value must be an integer between .min and .max.
## shorthand notation (e.g. 1k = 1024) is allowed
## .regexp("..."): value must match the regular expression
## .allow_null(): allow setting a NULL-value
## .msg("..."): message is shown in logs on rule violation instead of default message
## .readonly() / .ro() / .readwrite() / .rw(): set entry to read-only or read-write respectively
## If no access keyword is provided, the entry inherits the default policy set by sp.ini_protection.policy_*-rules.
## .drop(): drop request on rule violation for this entry
## .simulation(): only log rule violation for this entry
## FOR PRODUCTION SYSTEMS: disable error messages and version numbers
sp.ini.key("display_errors").set("0").ro();
sp.ini.key("display_startup_errors").set("0").ro();
sp.ini.key("expose_php").set("0").ro();
## FOR DEVELOPMENT/TESTING: allow enabling error messages and version numbers
#sp.ini.key("display_errors").rw();
#sp.ini.key("display_startup_errors").rw();
#sp.ini.key("expose_php").rw();
## error logging options should not be set during runtime -> read-only.
sp.ini.key("error_log").ro();
sp.ini.key("error_reporting").ro();
sp.ini.key("log_errors").ro();
sp.ini.key("log_errors_max_len").set("2048").ro();
sp.ini.key("ignore_repeated_errors").ro();
sp.ini.key("ignore_repeated_source").ro();
sp.ini.key("syslog.filter").ro();
## disable assert. assert() in PHP can evaluate arbitrary code just like eval()
sp.ini.key("assert.active").set("0").ro();
sp.ini.key("assert.bail").ro();
sp.ini.key("assert.callback").ro();
sp.ini.key("assert.exception").ro();
sp.ini.key("assert.warning").ro();
## enforce color codes. prevents potential XSS
sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
sp.ini.key("highlight.default").regexp("^#[0-9a-fA-F]{6}$");
sp.ini.key("highlight.html").regexp("^#[0-9a-fA-F]{6}$");
sp.ini.key("highlight.keyword").regexp("^#[0-9a-fA-F]{6}$");
sp.ini.key("highlight.string").regexp("^#[0-9a-fA-F]{6}$");
## prevent remote access via fopen/include
sp.ini.key("allow_url_fopen").set("0").ro();
sp.ini.key("allow_url_include").set("0").ro();
## prevent code execution from auto-included files
sp.ini.key("auto_append_file").ro();
sp.ini.key("auto_prepend_file").ro();
## make rarely used features read-only. you can always set the value in php.ini
sp.ini.key("arg_separator.input").ro();
sp.ini.key("arg_separator.output").ro();
sp.ini.key("auto_detect_line_endings").ro();
sp.ini.key("auto_globals_jit").ro();
sp.ini.key("browscap").ro();
sp.ini.key("default_charset").ro();
sp.ini.key("register_argc_argv").ro();
sp.ini.key("report_memleaks").ro();
sp.ini.key("report_zend_debug").ro();
sp.ini.key("request_order").ro();
sp.ini.key("url_rewriter.hosts").ro();
sp.ini.key("url_rewriter.tags").ro();
sp.ini.key("variables_order").ro();
sp.ini.key("from").ro();
sp.ini.key("short_open_tag").ro();
sp.ini.key("unserialize_callback_func").ro();
sp.ini.key("zend.detect_unicode").ro();
sp.ini.key("zend.enable_gc").ro();
sp.ini.key("zend.exception_ignore_args").ro();
sp.ini.key("zend.exception_string_param_max_len").ro();
sp.ini.key("zend.multibyte").ro();
sp.ini.key("zend.script_encoding").ro();
## date and timezone settings
#sp.ini.key("date.default_latitude").set("31.7667").ro();
#sp.ini.key("date.default_longitude").set("35.2333").ro();
#sp.ini.key("date.sunrise_zenith").set("90.833333").ro();
#sp.ini.key("date.sunset_zenith").set("90.833333").ro();
#sp.ini.key("date.timezone").set("").ro();
## setting a default mime type other than text/html can be a way to prevent XSS, so this will be set to read-write by default
sp.ini.key("default_mimetype").rw();
## allow reasonable socket timeouts
sp.ini.key("default_socket_timeout").min("1").max("300").rw();
## disable dynamic loading of PHP extensions in an apache/mod_php environment as it is a security risk.
sp.ini.key("enable_dl").set("0").ro();
## links to manual pages in error pages should not be set during runtime.
sp.ini.key("docref_ext").ro();
sp.ini.key("docref_root").ro();
sp.ini.key("html_errors").set("0").ro();
## preventing $_POST and $_FILES to be populated can be a security feature, so read-write is ok.
sp.ini.key("enable_post_data_reading").rw();
## disable error append/prepend which may lead to log forging.
sp.ini.key("error_append_string").ro();
sp.ini.key("error_prepend_string").set("").ro();
## restrict limit settings to prevent Denial-of-Service
sp.ini.key("max_execution_time").min("30").max("600").rw();
sp.ini.key("max_file_uploads").min("0").max("25").rw();
sp.ini.key("max_input_nesting_level").min("16").max("64").rw();
sp.ini.key("max_input_time").set("-1").ro();
sp.ini.key("max_input_vars").min("0").max("1024").rw();
sp.ini.key("memory_limit").min("4M").max("256M").rw();
sp.ini.key("post_max_size").max("256M").rw();
sp.ini.key("upload_max_filesize").max("256M").rw();
sp.ini.key("precision").max("14").rw();
sp.ini.key("unserialize_max_depth").min("128").max("4096").rw();
sp.ini.key("serialize_precision").ro();
## some applications rely on these filters for security
## even though they should implement proper input validation for each input field separately.
sp.ini.key("filter.default").rw();
sp.ini.key("filter.default_flags").rw();
## scripts will not be terminated after a client has aborted their connection.
## this feature may be needed for some time consuming server-side calculation
sp.ini.key("ignore_user_abort").rw();
## flushing may be needed
sp.ini.key("implicit_flush").rw();
## this feature may be required for some frameworks to work properly,
## but setting the include path to a fixed value is always more secure.
sp.ini.key("include_path").ro();
## input/output and encoding options
sp.ini.key("input_encoding").ro();
sp.ini.key("internal_encoding").ro();
sp.ini.key("output_encoding").ro();
sp.ini.key("output_buffering").min("0").max("4096").rw();
sp.ini.key("output_handler").ro();
## mail options
#sp.ini.key("mail.add_x_header").set("0").ro();
#sp.ini.key("mail.force_extra_parameters").set("").ro();
#sp.ini.key("mail.log").set("").ro();
## windows smtp options
#sp.ini.key("SMTP").set("localhost").ro();
#sp.ini.key("smtp_port").set("25").ro();
#sp.ini.key("sendmail_from").ro();
## mysqli/mysqlnd options
#sp.ini.key("mysqli.allow_local_infile").ro();
#sp.ini.key("mysqli.allow_persistent").ro();
#sp.ini.key("mysqli.default_host").ro();
#sp.ini.key("mysqli.default_port").ro();
#sp.ini.key("mysqli.default_pw").ro();
#sp.ini.key("mysqli.default_socket").ro();
#sp.ini.key("mysqli.default_user").ro();
#sp.ini.key("mysqli.max_links").set("-1").ro();
#sp.ini.key("mysqli.max_persistent").set("-1").ro();
#sp.ini.key("mysqli.reconnect").set("0").ro();
#sp.ini.key("mysqli.rollback_on_cached_plink").set("0").ro();
#sp.ini.key("mysqlnd.collect_memory_statistics").set("0").ro();
#sp.ini.key("mysqlnd.collect_statistics").set("1").ro();
#sp.ini.key("mysqlnd.debug").set("").ro();
#sp.ini.key("mysqlnd.fetch_data_copy").set("0").ro();
#sp.ini.key("mysqlnd.log_mask").set("0").ro();
#sp.ini.key("mysqlnd.mempool_default_size").set("16000").ro();
#sp.ini.key("mysqlnd.net_cmd_buffer_size").set("4096").ro();
#sp.ini.key("mysqlnd.net_read_buffer_size").set("32768").ro();
#sp.ini.key("mysqlnd.net_read_timeout").set("86400").ro();
#sp.ini.key("mysqlnd.sha256_server_public_key").set("").ro();
#sp.ini.key("mysqlnd.trace_alloc").set("").ro();
## open basedir is a security feature similar to chroot.
## why should it be allowed to disable this feature during runtime?
sp.ini.key("open_basedir").ro();
## pcre options
sp.ini.key("pcre.backtrack_limit").min("1000").max("1000000").rw();
sp.ini.key("pcre.jit").rw();
sp.ini.key("pcre.recursion_limit").min("1000").max("100000").ro();
## phar options
sp.ini.key("phar.cache_list").ro();
sp.ini.key("phar.readonly").ro();
sp.ini.key("phar.require_hash").ro();
## session options
#sp.ini.key("session.auto_start").set("0").ro();
#sp.ini.key("session.cache_expire").set("180").ro();
#sp.ini.key("session.cache_limiter").set("nocache").ro();
#sp.ini.key("session.cookie_domain").set("").ro();
#sp.ini.key("session.cookie_httponly").set("0").ro();
#sp.ini.key("session.cookie_lifetime").set("0").ro();
#sp.ini.key("session.cookie_path").set("/").ro();
#sp.ini.key("session.cookie_samesite").set("").ro();
#sp.ini.key("session.cookie_secure").set("0").ro();
#sp.ini.key("session.gc_divisor").set("100").ro();
#sp.ini.key("session.gc_maxlifetime").set("1440").ro();
#sp.ini.key("session.gc_probability").set("1").ro();
#sp.ini.key("session.lazy_write").set("1").ro();
#sp.ini.key("session.name").set("PHPSESSID").ro();
#sp.ini.key("session.referer_check").set("").ro();
#sp.ini.key("session.save_handler").set("files").ro();
#sp.ini.key("session.save_path").set("").ro();
#sp.ini.key("session.serialize_handler").set("php").ro();
#sp.ini.key("session.sid_bits_per_character").set("4").ro();
sp.ini.key("session.sid_length").min("32").max("128").rw();
#sp.ini.key("session.trans_sid_hosts").set("").ro();
#sp.ini.key("session.trans_sid_tags").set("a=href,area=href,frame=src,form=").ro();
#sp.ini.key("session.upload_progress.cleanup").set("1").ro();
#sp.ini.key("session.upload_progress.enabled").set("1").ro();
#sp.ini.key("session.upload_progress.freq").set("1%").ro();
#sp.ini.key("session.upload_progress.min_freq").set("1").ro();
#sp.ini.key("session.upload_progress.name").set("PHP_SESSION_UPLOAD_PROGRESS").ro();
#sp.ini.key("session.upload_progress.prefix").set("upload_progress_").ro();
#sp.ini.key("session.use_cookies").set("1").ro();
#sp.ini.key("session.use_only_cookies").set("1").ro();
#sp.ini.key("session.use_strict_mode").set("0").ro();
#sp.ini.key("session.use_trans_sid").set("0").ro();
## allow setting the user agent
sp.ini.key("user_agent").rw();
## allow setting the xmlrpc fault code
sp.ini.key("xmlrpc_error_number").rw();
## these ini entries can only be set by php.ini anyway,
## but better set them to read-only anyway, just to be sure.
sp.ini.key("disable_classes").ro();
sp.ini.key("disable_functions").ro();
sp.ini.key("doc_root").ro();
sp.ini.key("extension_dir").ro();
sp.ini.key("file_uploads").ro();
sp.ini.key("hard_timeout").ro();
sp.ini.key("realpath_cache_size").ro();
sp.ini.key("realpath_cache_ttl").ro();
sp.ini.key("sendmail_path").ro();
sp.ini.key("sqlite3.defensive").ro();
sp.ini.key("sqlite3.extension_dir").ro();
sp.ini.key("sys_temp_dir").set("").ro();
sp.ini.key("syslog.facility").ro();
sp.ini.key("syslog.ident").ro();
sp.ini.key("upload_tmp_dir").ro();
sp.ini.key("user_dir").ro();
sp.ini.key("user_ini.cache_ttl").ro();
sp.ini.key("user_ini.filename").ro();
sp.ini.key("zend.assertions").ro();
sp.ini.key("zend.signal_check").set("0").ro();
|
