[packages/php.git] / php-ini.patch

diff -burN php-5.0.0b3/php.ini-dist php-5.0.0b3-php.ini/php.ini-dist
--- php-5.0.0b3/php.ini-dist	2003-12-18 03:06:00.000000000 +0100
+++ php-5.0.0b3-php.ini/php.ini-dist	2003-12-27 00:29:41.000000000 +0100
@@ -3,13 +3,18 @@
 ;;;;;;;;;;;
 ; WARNING ;
 ;;;;;;;;;;;
-; This is the default settings file for new PHP installations.
-; By default, PHP installs itself with a configuration suitable for
-; development purposes, and *NOT* for production purposes.
-; For several security-oriented considerations that should be taken
-; before going online with your site, please consult php.ini-recommended
-; and http://php.net/manual/en/security.php.
-
+; This is the default settings file for new PHP installations from
+; PLD Linux Distribution.
+; It's based mainly on php.ini-dist, but with some changes made with
+; security in mind (see below, consult also
+; http://php.net/manual/en/security.php).
+;
+; Please note, that in PLD installations /etc/php/php.ini file
+; contains global settings for all SAPIs (cgi, cli, apache...),
+; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
+; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
+; (so you don't have to duplicate whole large file to override only
+; few options)
 
 ;;;;;;;;;;;;;;;;;;;
 ; About this file ;
@@ -54,10 +59,69 @@
 ; If you use constants in your value, and these constants belong to a
 ; dynamically loaded extension (either a PHP extension or a Zend extension),
 ; you may only use these constants *after* the line that loads the extension.
-;
-; All the values in the php.ini-dist file correspond to the builtin
-; defaults (that is, if no php.ini is used, or if you delete these lines,
-; the builtin defaults will be identical).
+
+
+; Below is the list of settings changed from default as specified in
+; php.ini-recommended. These settings make PHP more secure and encourage
+; cleaner coding.
+; The price is that with these settings, PHP may be incompatible with some old
+; or bad-written applications, and sometimes, more difficult to develop with.
+; Using this settings is warmly recommended for production sites.  As all of
+; the changes from the standard settings are thoroughly documented, you can
+; go over each one, and decide whether you want to use it or not.
+;
+; - register_globals = Off         [Security, Performance]
+;     Global variables are no longer registered for input data (POST, GET, cookies,
+;     environment and other server variables).  Instead of using $foo, you must use
+;     you can use $_REQUEST["foo"] (includes any variable that arrives through the
+;     request, namely, POST, GET and cookie variables), or use one of the specific
+;     $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
+;     on where the input originates.  Also, you can look at the
+;     import_request_variables() function.
+;     Note that register_globals = Off is the default setting since PHP 4.2.0.
+; - display_errors = Off           [Security]
+;     With this directive set to off, errors that occur during the execution of
+;     scripts will no longer be displayed as a part of the script output, and thus,
+;     will no longer be exposed to remote users.  With some errors, the error message
+;     content may expose information about your script, web server, or database
+;     server that may be exploitable for hacking.  Production sites should have this
+;     directive set to off.
+; - log_errors = On                [Security]
+;     This directive complements the above one.  Any errors that occur during the
+;     execution of your script will be logged (typically, to your server's error log,
+;     but can be configured in several ways).  Along with setting display_errors to off,
+;     this setup gives you the ability to fully understand what may have gone wrong,
+;     without exposing any sensitive information to remote users.
+; - error_reporting = E_ALL        [Code Cleanliness, Security(?)]
+;     By default, PHP surpresses errors of type E_NOTICE.  These error messages
+;     are emitted for non-critical errors, but that could be a symptom of a bigger
+;     problem.  Most notably, this will cause error messages about the use
+;     of uninitialized variables to be displayed.
+
+; For completeness, below is list of the rest of changes recommended for
+; performance, but NOT applied in default php.ini in PLD (since they are
+; not needed for security or may cause problems with some applications
+; more likely than above).
+
+; - output_buffering = 4096        [Performance]
+;     Set a 4KB output buffer.  Enabling output buffering typically results in less
+;     writes, and sometimes less packets sent on the wire, which can often lead to
+;     better performance.  The gain this directive actually yields greatly depends
+;     on which Web server you're working with, and what kind of scripts you're using.
+; - register_argc_argv = Off       [Performance]
+;     Disables registration of the somewhat redundant $argv and $argc global
+;     variables.
+; - magic_quotes_gpc = Off         [Performance]
+;     Input data is no longer escaped with slashes so that it can be sent into
+;     SQL databases without further manipulation.  Instead, you should use the
+;     function addslashes() on each input element you wish to send to a database.
+; - variables_order = "GPCS"       [Performance]
+;     The environment variables are not hashed into the $HTTP_ENV_VARS[].  To access
+;     environment variables, you can use getenv() instead.
+; - allow_call_time_pass_reference = Off     [Code cleanliness]
+;     It's not possible to decide to force a variable to be passed by reference
+;     when calling a function.  The PHP 4 style to do this is by making the
+;     function require the relevant argument by reference.
 
 
 ;;;;;;;;;;;;;;;;;;;;
@@ -79,7 +143,7 @@
 asp_tags = Off
 
 ; The number of significant digits displayed in floating point numbers.
-precision    =  12
+precision    =  14
 
 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
 y2k_compliance = On
@@ -270,14 +334,14 @@
 ;
 ;   - Show all errors except for notices and coding standards warnings
 ;
-error_reporting  =  E_ALL & ~E_NOTICE & ~E_STRICT
+error_reporting  =  E_ALL
 
 ; Print out errors (as a part of the output).  For production web sites,
 ; you're strongly encouraged to turn this feature off, and use error logging
 ; instead (see below).  Keeping display_errors enabled on a production web site
 ; may reveal security information to end users, such as file paths on your Web
 ; server, your database schema or other information.
-display_errors = On
+display_errors = Off
 
 ; Even when display_errors is on, errors that occur during PHP's startup
 ; sequence are not displayed.  It's strongly recommended to keep
@@ -435,7 +499,7 @@
 user_dir =
 
 ; Directory in which the loadable extensions (modules) reside.
-extension_dir = "./"
+extension_dir = "/usr/lib/php"
 
 ; Whether or not to enable the dl() function.  The dl() function does NOT work
 ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
@@ -530,50 +594,6 @@
 ; extension_dir directive above.
 
 
-;Windows Extensions
-;Note that MySQL and ODBC support is now built in, so no dll is needed for it.
-;
-;extension=php_bz2.dll
-;extension=php_cpdf.dll
-;extension=php_curl.dll
-;extension=php_dba.dll
-;extension=php_dbase.dll
-;extension=php_dbx.dll
-;extension=php_exif.dll
-;extension=php_fdf.dll
-;extension=php_filepro.dll
-;extension=php_gd2.dll
-;extension=php_gettext.dll
-;extension=php_iconv.dll
-;extension=php_ifx.dll
-;extension=php_iisfunc.dll
-;extension=php_imap.dll
-;extension=php_interbase.dll
-;extension=php_ldap.dll
-;extension=php_mbstring.dll
-;extension=php_mcrypt.dll
-;extension=php_mhash.dll
-;extension=php_mime_magic.dll
-;extension=php_ming.dll
-;extension=php_mssql.dll
-;extension=php_msql.dll
-;extension=php_mysql.dll
-;extension=php_oci8.dll
-;extension=php_openssl.dll
-;extension=php_oracle.dll
-;extension=php_pdf.dll
-;extension=php_pgsql.dll
-;extension=php_shmop.dll
-;extension=php_snmp.dll
-;extension=php_sockets.dll
-;extension=php_sybase_ct.dll
-;extension=php_w32api.dll
-;extension=php_xmlrpc.dll
-;extension=php_xsl.dll
-;extension=php_yaz.dll
-;extension=php_zip.dll
-
-
 ;;;;;;;;;;;;;;;;;;;
 ; Module Settings ;
 ;;;;;;;;;;;;;;;;;;;
Commit	Line	Data
18077452 AG	1	diff -burN php-5.0.0b3/php.ini-dist php-5.0.0b3-php.ini/php.ini-dist
	2	--- php-5.0.0b3/php.ini-dist 2003-12-18 03:06:00.000000000 +0100
	3	+++ php-5.0.0b3-php.ini/php.ini-dist 2003-12-27 00:29:41.000000000 +0100
	4	@@ -3,13 +3,18 @@
4342041a JB	5	;;;;;;;;;;;
	6	; WARNING ;
	7	;;;;;;;;;;;
	8	-; This is the default settings file for new PHP installations.
	9	-; By default, PHP installs itself with a configuration suitable for
	10	-; development purposes, and NOT for production purposes.
	11	-; For several security-oriented considerations that should be taken
	12	-; before going online with your site, please consult php.ini-recommended
	13	-; and http://php.net/manual/en/security.php.
18077452	14	-
4342041a JB	15	+; This is the default settings file for new PHP installations from
	16	+; PLD Linux Distribution.
	17	+; It's based mainly on php.ini-dist, but with some changes made with
	18	+; security in mind (see below, consult also
	19	+; http://php.net/manual/en/security.php).
	20	+;
18077452 AG	21	+; Please note, that in PLD installations /etc/php/php.ini file
18077452 AG	22	+; contains global settings for all SAPIs (cgi, cli, apache...),
4342041a JB	23	+; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
4342041a JB	24	+; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
18077452 AG	25	+; (so you don't have to duplicate whole large file to override only
18077452 AG	26	+; few options)
4342041a JB	27
4342041a JB	28	;;;;;;;;;;;;;;;;;;;
18077452 AG	29	; About this file ;
18077452 AG	30	@@ -54,10 +59,69 @@
4342041a JB	31	; If you use constants in your value, and these constants belong to a
	32	; dynamically loaded extension (either a PHP extension or a Zend extension),
	33	; you may only use these constants after the line that loads the extension.
	34	-;
	35	-; All the values in the php.ini-dist file correspond to the builtin
	36	-; defaults (that is, if no php.ini is used, or if you delete these lines,
	37	-; the builtin defaults will be identical).
18077452 AG	38	+
18077452 AG	39	+
4342041a JB	40	+; Below is the list of settings changed from default as specified in
	41	+; php.ini-recommended. These settings make PHP more secure and encourage
	42	+; cleaner coding.
	43	+; The price is that with these settings, PHP may be incompatible with some old
	44	+; or bad-written applications, and sometimes, more difficult to develop with.
	45	+; Using this settings is warmly recommended for production sites. As all of
	46	+; the changes from the standard settings are thoroughly documented, you can
	47	+; go over each one, and decide whether you want to use it or not.
	48	+;
	49	+; - register_globals = Off [Security, Performance]
	50	+; Global variables are no longer registered for input data (POST, GET, cookies,
	51	+; environment and other server variables). Instead of using $foo, you must use
	52	+; you can use $_REQUEST["foo"] (includes any variable that arrives through the
	53	+; request, namely, POST, GET and cookie variables), or use one of the specific
	54	+; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
	55	+; on where the input originates. Also, you can look at the
	56	+; import_request_variables() function.
	57	+; Note that register_globals = Off is the default setting since PHP 4.2.0.
	58	+; - display_errors = Off [Security]
	59	+; With this directive set to off, errors that occur during the execution of
	60	+; scripts will no longer be displayed as a part of the script output, and thus,
	61	+; will no longer be exposed to remote users. With some errors, the error message
	62	+; content may expose information about your script, web server, or database
	63	+; server that may be exploitable for hacking. Production sites should have this
	64	+; directive set to off.
	65	+; - log_errors = On [Security]
	66	+; This directive complements the above one. Any errors that occur during the
	67	+; execution of your script will be logged (typically, to your server's error log,
	68	+; but can be configured in several ways). Along with setting display_errors to off,
	69	+; this setup gives you the ability to fully understand what may have gone wrong,
	70	+; without exposing any sensitive information to remote users.
	71	+; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
	72	+; By default, PHP surpresses errors of type E_NOTICE. These error messages
	73	+; are emitted for non-critical errors, but that could be a symptom of a bigger
	74	+; problem. Most notably, this will cause error messages about the use
	75	+; of uninitialized variables to be displayed.
	76	+
	77	+; For completeness, below is list of the rest of changes recommended for
	78	+; performance, but NOT applied in default php.ini in PLD (since they are
	79	+; not needed for security or may cause problems with some applications
	80	+; more likely than above).
	81	+
	82	+; - output_buffering = 4096 [Performance]
	83	+; Set a 4KB output buffer. Enabling output buffering typically results in less
	84	+; writes, and sometimes less packets sent on the wire, which can often lead to
	85	+; better performance. The gain this directive actually yields greatly depends
	86	+; on which Web server you're working with, and what kind of scripts you're using.
	87	+; - register_argc_argv = Off [Performance]
	88	+; Disables registration of the somewhat redundant $argv and $argc global
	89	+; variables.
	90	+; - magic_quotes_gpc = Off [Performance]
	91	+; Input data is no longer escaped with slashes so that it can be sent into
	92	+; SQL databases without further manipulation. Instead, you should use the
	93	+; function addslashes() on each input element you wish to send to a database.
	94	+; - variables_order = "GPCS" [Performance]
	95	+; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
	96	+; environment variables, you can use getenv() instead.
	97	+; - allow_call_time_pass_reference = Off [Code cleanliness]
	98	+; It's not possible to decide to force a variable to be passed by reference
	99	+; when calling a function. The PHP 4 style to do this is by making the
	100	+; function require the relevant argument by reference.
18077452 AG	101
18077452 AG	102
4342041a JB	103	;;;;;;;;;;;;;;;;;;;;
4342041a JB	104	@@ -79,7 +143,7 @@
9fab2fdf JK	105	asp_tags = Off
	106
	107	; The number of significant digits displayed in floating point numbers.
cc1337ae JK	108	-precision = 12
cc1337ae JK	109	+precision = 14
9fab2fdf JK	110
9fab2fdf JK	111	; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
4342041a	112	y2k_compliance = On
18077452	113	@@ -270,14 +334,14 @@
4342041a	114	;
18077452	115	; - Show all errors except for notices and coding standards warnings
4342041a	116	;
18077452	117	-error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT
4342041a JB	118	+error_reporting = E_ALL
	119
	120	; Print out errors (as a part of the output). For production web sites,
	121	; you're strongly encouraged to turn this feature off, and use error logging
	122	; instead (see below). Keeping display_errors enabled on a production web site
	123	; may reveal security information to end users, such as file paths on your Web
	124	; server, your database schema or other information.
	125	-display_errors = On
	126	+display_errors = Off
	127
	128	; Even when display_errors is on, errors that occur during PHP's startup
	129	; sequence are not displayed. It's strongly recommended to keep
18077452	130	@@ -435,7 +499,7 @@
78b7386f GS	131	user_dir =
	132
	133	; Directory in which the loadable extensions (modules) reside.
a224c566 AG	134	-extension_dir = "./"
a224c566 AG	135	+extension_dir = "/usr/lib/php"
78b7386f GS	136
	137	; Whether or not to enable the dl() function. The dl() function does NOT work
	138	; properly in multithreaded servers, such as IIS or Zeus, and is automatically
18077452 AG	139	@@ -530,50 +594,6 @@
18077452 AG	140	; extension_dir directive above.
4342041a	141
4342041a	142
18077452 AG	143	-;Windows Extensions
	144	-;Note that MySQL and ODBC support is now built in, so no dll is needed for it.
	145	-;
	146	-;extension=php_bz2.dll
	147	-;extension=php_cpdf.dll
	148	-;extension=php_curl.dll
	149	-;extension=php_dba.dll
	150	-;extension=php_dbase.dll
	151	-;extension=php_dbx.dll
	152	-;extension=php_exif.dll
	153	-;extension=php_fdf.dll
	154	-;extension=php_filepro.dll
	155	-;extension=php_gd2.dll
	156	-;extension=php_gettext.dll
	157	-;extension=php_iconv.dll
	158	-;extension=php_ifx.dll
	159	-;extension=php_iisfunc.dll
	160	-;extension=php_imap.dll
	161	-;extension=php_interbase.dll
	162	-;extension=php_ldap.dll
	163	-;extension=php_mbstring.dll
	164	-;extension=php_mcrypt.dll
	165	-;extension=php_mhash.dll
	166	-;extension=php_mime_magic.dll
	167	-;extension=php_ming.dll
	168	-;extension=php_mssql.dll
	169	-;extension=php_msql.dll
	170	-;extension=php_mysql.dll
	171	-;extension=php_oci8.dll
	172	-;extension=php_openssl.dll
	173	-;extension=php_oracle.dll
	174	-;extension=php_pdf.dll
	175	-;extension=php_pgsql.dll
	176	-;extension=php_shmop.dll
	177	-;extension=php_snmp.dll
	178	-;extension=php_sockets.dll
	179	-;extension=php_sybase_ct.dll
	180	-;extension=php_w32api.dll
	181	-;extension=php_xmlrpc.dll
	182	-;extension=php_xsl.dll
	183	-;extension=php_yaz.dll
	184	-;extension=php_zip.dll
	185	-
	186	-
	187	;;;;;;;;;;;;;;;;;;;
	188	; Module Settings ;
	189	;;;;;;;;;;;;;;;;;;;