[packages/php.git] / php-ini.patch

--- php-5.2.0/php.ini-dist	2006-10-14 18:06:11.000000000 +0300
+++ php-5.2.0/php.ini	2006-11-03 00:23:42.665401441 +0200
@@ -3,13 +3,18 @@
 ;;;;;;;;;;;
 ; WARNING ;
 ;;;;;;;;;;;
-; This is the default settings file for new PHP installations.
-; By default, PHP installs itself with a configuration suitable for
-; development purposes, and *NOT* for production purposes.
-; For several security-oriented considerations that should be taken
-; before going online with your site, please consult php.ini-recommended
-; and http://php.net/manual/en/security.php.
-
+; This is the default settings file for new PHP installations from
+; PLD Linux Distribution.
+; It's based mainly on php.ini-dist, but with some changes made with
+; security in mind (see below, consult also
+; http://php.net/manual/en/security.php).
+;
+; Please note, that in PLD installations /etc/php/php.ini file
+; contains global settings for all SAPIs (cgi, cli, apache...),
+; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
+; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
+; (so you don't have to duplicate whole large file to override only
+; few options)
 
 ;;;;;;;;;;;;;;;;;;;
 ; About php.ini   ;
@@ -59,10 +64,72 @@
 ;;;;;;;;;;;;;;;;;;;
 ; About this file ;
 ;;;;;;;;;;;;;;;;;;;
-; All the values in the php.ini-dist file correspond to the builtin
-; defaults (that is, if no php.ini is used, or if you delete these lines,
-; the builtin defaults will be identical).
+; If you use constants in your value, and these constants belong to a
+; dynamically loaded extension (either a PHP extension or a Zend extension),
+; you may only use these constants *after* the line that loads the extension.
+
 
+; Below is the list of settings changed from default as specified in
+; php.ini-recommended. These settings make PHP more secure and encourage
+; cleaner coding.
+; The price is that with these settings, PHP may be incompatible with some old
+; or bad-written applications, and sometimes, more difficult to develop with.
+; Using this settings is warmly recommended for production sites.  As all of
+; the changes from the standard settings are thoroughly documented, you can
+; go over each one, and decide whether you want to use it or not.
+;
+; - register_globals = Off         [Security, Performance]
+;     Global variables are no longer registered for input data (POST, GET, cookies,
+;     environment and other server variables).  Instead of using $foo, you must use
+;     you can use $_REQUEST["foo"] (includes any variable that arrives through the
+;     request, namely, POST, GET and cookie variables), or use one of the specific
+;     $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
+;     on where the input originates.  Also, you can look at the
+;     import_request_variables() function.
+;     Note that register_globals = Off is the default setting since PHP 4.2.0.
+; - display_errors = Off           [Security]
+;     With this directive set to off, errors that occur during the execution of
+;     scripts will no longer be displayed as a part of the script output, and thus,
+;     will no longer be exposed to remote users.  With some errors, the error message
+;     content may expose information about your script, web server, or database
+;     server that may be exploitable for hacking.  Production sites should have this
+;     directive set to off.
+; - log_errors = On                [Security]
+;     This directive complements the above one.  Any errors that occur during the
+;     execution of your script will be logged (typically, to your server's error log,
+;     but can be configured in several ways).  Along with setting display_errors to off,
+;     this setup gives you the ability to fully understand what may have gone wrong,
+;     without exposing any sensitive information to remote users.
+; - error_reporting = E_ALL        [Code Cleanliness, Security(?)]
+;     By default, PHP surpresses errors of type E_NOTICE.  These error messages
+;     are emitted for non-critical errors, but that could be a symptom of a bigger
+;     problem.  Most notably, this will cause error messages about the use
+;     of uninitialized variables to be displayed.
+; - register_argc_argv = Off       [Performance]
+;     Disables registration of the somewhat redundant $argv and $argc global
+;     variables.
+; - magic_quotes_gpc = Off         [Performance]
+;     Input data is no longer escaped with slashes so that it can be sent into
+;     SQL databases without further manipulation.  Instead, you should use the
+;     function addslashes() on each input element you wish to send to a database.
+; - variables_order = "GPCS"       [Performance]
+;     The environment variables are not hashed into the $HTTP_ENV_VARS[].  To access
+;     environment variables, you can use getenv() instead.
+
+; For completeness, below is list of the rest of changes recommended for
+; performance, but NOT applied in default php.ini in PLD (since they are
+; not needed for security or may cause problems with some applications
+; more likely than above).
+
+; - output_buffering = 4096        [Performance]
+;     Set a 4KB output buffer.  Enabling output buffering typically results in less
+;     writes, and sometimes less packets sent on the wire, which can often lead to
+;     better performance.  The gain this directive actually yields greatly depends
+;     on which Web server you're working with, and what kind of scripts you're using.
+; - allow_call_time_pass_reference = Off     [Code cleanliness]
+;     It's not possible to decide to force a variable to be passed by reference
+;     when calling a function.  The PHP 4 style to do this is by making the
+;     function require the relevant argument by reference.
 
 ;;;;;;;;;;;;;;;;;;;;
 ; Language Options ;
@@ -86,7 +153,7 @@
 asp_tags = Off
 
 ; The number of significant digits displayed in floating point numbers.
-precision    =  12
+precision    =  14
 
 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
 y2k_compliance = On
@@ -301,14 +368,16 @@
 ;
 ;   - Show all errors except for notices and coding standards warnings
 ;
-error_reporting  =  E_ALL & ~E_NOTICE
+;error_reporting  =  E_ALL & ~E_NOTICE
+
+error_reporting = E_ALL
 
 ; Print out errors (as a part of the output).  For production web sites,
 ; you're strongly encouraged to turn this feature off, and use error logging
 ; instead (see below).  Keeping display_errors enabled on a production web site
 ; may reveal security information to end users, such as file paths on your Web
 ; server, your database schema or other information.
-display_errors = On
+display_errors = Off
 
 ; Even when display_errors is on, errors that occur during PHP's startup
 ; sequence are not displayed.  It's strongly recommended to keep
@@ -318,7 +387,7 @@
 ; Log errors into a log file (server-specific log, stderr, or error_log (below))
 ; As stated above, you're strongly advised to use error logging in place of
 ; error displaying on production web sites.
-log_errors = Off
+log_errors = On
 
 ; Set maximum length of log_errors. In error_log information about the source is
 ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
@@ -345,7 +414,7 @@
 
 ; Disable the inclusion of HTML tags in error messages.
 ; Note: Never use this feature for production boxes.
-;html_errors = Off
+html_errors = Off
 
 ; If html_errors is set On PHP produces clickable error messages that direct
 ; to a page describing the error or function causing the error in detail.
@@ -389,7 +458,7 @@
 ; Environment and Built-in variables (G, P, C, E & S respectively, often
 ; referred to as EGPCS or GPC).  Registration is done from left to right, newer
 ; values override older values.
-variables_order = "EGPCS"
+variables_order = "GPCS"
 
 ; Whether or not to register the EGPCS variables as global variables.  You may
 ; want to turn this off if you don't want to clutter your scripts' global scope
@@ -405,12 +474,12 @@
 ; Whether or not to register the old-style input arrays, HTTP_GET_VARS
 ; and friends.  If you're not using them, it's recommended to turn them off,
 ; for performance reasons.
-register_long_arrays = On
+register_long_arrays = Off
 
 ; This directive tells PHP whether to declare the argv&argc variables (that
 ; would contain the GET information).  If you don't use these variables, you
 ; should turn it off for increased performance.
-register_argc_argv = On
+register_argc_argv = Off
 
 ; When enabled, the SERVER and ENV variables are created when they're first
 ; used (Just In Time) instead of when the script starts. If these variables
@@ -426,7 +495,7 @@
 ;
 
 ; Magic quotes for incoming GET/POST/Cookie data.
-magic_quotes_gpc = On
+magic_quotes_gpc = Off
 
 ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
 magic_quotes_runtime = Off
@@ -472,7 +541,7 @@
 user_dir =
 
 ; Directory in which the loadable extensions (modules) reside.
-extension_dir = "./"
+extension_dir = "/usr/lib/php"
 
 ; Whether or not to enable the dl() function.  The dl() function does NOT work
 ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
@@ -533,7 +602,7 @@
 ;;;;;;;;;;;;;;;;;;
 
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
-allow_url_fopen = On
+allow_url_fopen = Off
 
 ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
 allow_url_include = Off
@@ -576,48 +645,6 @@
 ; needs to go here.  Specify the location of the extension with the
 ; extension_dir directive above.
 
-
-; Windows Extensions
-; Note that ODBC support is built in, so no dll is needed for it.
-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
-; extension folders as well as the separate PECL DLL download (PHP 5).
-; Be sure to appropriately set the extension_dir directive.
-
-;extension=php_mbstring.dll
-;extension=php_bz2.dll
-;extension=php_curl.dll
-;extension=php_dba.dll
-;extension=php_dbase.dll
-;extension=php_exif.dll
-;extension=php_fdf.dll
-;extension=php_filepro.dll
-;extension=php_gd2.dll
-;extension=php_gettext.dll
-;extension=php_ifx.dll
-;extension=php_imap.dll
-;extension=php_interbase.dll
-;extension=php_ldap.dll
-;extension=php_mcrypt.dll
-;extension=php_mhash.dll
-;extension=php_mime_magic.dll
-;extension=php_ming.dll
-;extension=php_mssql.dll
-;extension=php_msql.dll
-;extension=php_mysql.dll
-;extension=php_oci8.dll
-;extension=php_openssl.dll
-;extension=php_oracle.dll
-;extension=php_pgsql.dll
-;extension=php_shmop.dll
-;extension=php_snmp.dll
-;extension=php_sockets.dll
-;extension=php_sqlite.dll
-;extension=php_sybase_ct.dll
-;extension=php_tidy.dll
-;extension=php_xmlrpc.dll
-;extension=php_xsl.dll
-
-
 ;;;;;;;;;;;;;;;;;;;
 ; Module Settings ;
 ;;;;;;;;;;;;;;;;;;;
@@ -1205,7 +1232,7 @@
 ; Enables or disables WSDL caching feature.
 soap.wsdl_cache_enabled=1
 ; Sets the directory name where SOAP extension will put cache files.
-soap.wsdl_cache_dir="/tmp"
+soap.wsdl_cache_dir="/var/run/php"
 ; (time to live) Sets the number of second while cached file will be used 
 ; instead of original one.
 soap.wsdl_cache_ttl=86400
Commit	Line	Data
95a30b9d ER	1	--- php-5.2.0/php.ini-dist 2006-10-14 18:06:11.000000000 +0300
95a30b9d ER	2	+++ php-5.2.0/php.ini 2006-11-03 00:23:42.665401441 +0200
917119c9	3	@@ -3,13 +3,18 @@
4342041a JB	4	;;;;;;;;;;;
	5	; WARNING ;
	6	;;;;;;;;;;;
	7	-; This is the default settings file for new PHP installations.
	8	-; By default, PHP installs itself with a configuration suitable for
	9	-; development purposes, and NOT for production purposes.
	10	-; For several security-oriented considerations that should be taken
	11	-; before going online with your site, please consult php.ini-recommended
	12	-; and http://php.net/manual/en/security.php.
917119c9	13	-
4342041a JB	14	+; This is the default settings file for new PHP installations from
	15	+; PLD Linux Distribution.
	16	+; It's based mainly on php.ini-dist, but with some changes made with
	17	+; security in mind (see below, consult also
	18	+; http://php.net/manual/en/security.php).
	19	+;
917119c9 AM	20	+; Please note, that in PLD installations /etc/php/php.ini file
917119c9 AM	21	+; contains global settings for all SAPIs (cgi, cli, apache...),
4342041a JB	22	+; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
4342041a JB	23	+; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
917119c9 AM	24	+; (so you don't have to duplicate whole large file to override only
917119c9 AM	25	+; few options)
4342041a	26
a00e0eb8 AM	27	;;;;;;;;;;;;;;;;;;;
a00e0eb8 AM	28	; About php.ini ;
95a30b9d ER	29	@@ -59,10 +64,72 @@
95a30b9d ER	30	;;;;;;;;;;;;;;;;;;;
917119c9	31	; About this file ;
a00e0eb8	32	;;;;;;;;;;;;;;;;;;;
4342041a JB	33	-; All the values in the php.ini-dist file correspond to the builtin
	34	-; defaults (that is, if no php.ini is used, or if you delete these lines,
	35	-; the builtin defaults will be identical).
a00e0eb8 AM	36	+; If you use constants in your value, and these constants belong to a
	37	+; dynamically loaded extension (either a PHP extension or a Zend extension),
	38	+; you may only use these constants after the line that loads the extension.
95a30b9d	39	+
62277197	40
4342041a JB	41	+; Below is the list of settings changed from default as specified in
	42	+; php.ini-recommended. These settings make PHP more secure and encourage
	43	+; cleaner coding.
	44	+; The price is that with these settings, PHP may be incompatible with some old
	45	+; or bad-written applications, and sometimes, more difficult to develop with.
	46	+; Using this settings is warmly recommended for production sites. As all of
	47	+; the changes from the standard settings are thoroughly documented, you can
	48	+; go over each one, and decide whether you want to use it or not.
	49	+;
	50	+; - register_globals = Off [Security, Performance]
	51	+; Global variables are no longer registered for input data (POST, GET, cookies,
	52	+; environment and other server variables). Instead of using $foo, you must use
	53	+; you can use $_REQUEST["foo"] (includes any variable that arrives through the
	54	+; request, namely, POST, GET and cookie variables), or use one of the specific
	55	+; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
	56	+; on where the input originates. Also, you can look at the
	57	+; import_request_variables() function.
	58	+; Note that register_globals = Off is the default setting since PHP 4.2.0.
	59	+; - display_errors = Off [Security]
	60	+; With this directive set to off, errors that occur during the execution of
	61	+; scripts will no longer be displayed as a part of the script output, and thus,
	62	+; will no longer be exposed to remote users. With some errors, the error message
	63	+; content may expose information about your script, web server, or database
	64	+; server that may be exploitable for hacking. Production sites should have this
	65	+; directive set to off.
	66	+; - log_errors = On [Security]
	67	+; This directive complements the above one. Any errors that occur during the
	68	+; execution of your script will be logged (typically, to your server's error log,
	69	+; but can be configured in several ways). Along with setting display_errors to off,
	70	+; this setup gives you the ability to fully understand what may have gone wrong,
	71	+; without exposing any sensitive information to remote users.
	72	+; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
	73	+; By default, PHP surpresses errors of type E_NOTICE. These error messages
	74	+; are emitted for non-critical errors, but that could be a symptom of a bigger
	75	+; problem. Most notably, this will cause error messages about the use
	76	+; of uninitialized variables to be displayed.
20e4fbdf ER	77	+; - register_argc_argv = Off [Performance]
	78	+; Disables registration of the somewhat redundant $argv and $argc global
	79	+; variables.
	80	+; - magic_quotes_gpc = Off [Performance]
	81	+; Input data is no longer escaped with slashes so that it can be sent into
	82	+; SQL databases without further manipulation. Instead, you should use the
	83	+; function addslashes() on each input element you wish to send to a database.
	84	+; - variables_order = "GPCS" [Performance]
	85	+; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
	86	+; environment variables, you can use getenv() instead.
4342041a JB	87	+
	88	+; For completeness, below is list of the rest of changes recommended for
	89	+; performance, but NOT applied in default php.ini in PLD (since they are
	90	+; not needed for security or may cause problems with some applications
	91	+; more likely than above).
ff83cd8b	92	+
4342041a JB	93	+; - output_buffering = 4096 [Performance]
	94	+; Set a 4KB output buffer. Enabling output buffering typically results in less
	95	+; writes, and sometimes less packets sent on the wire, which can often lead to
	96	+; better performance. The gain this directive actually yields greatly depends
	97	+; on which Web server you're working with, and what kind of scripts you're using.
4342041a JB	98	+; - allow_call_time_pass_reference = Off [Code cleanliness]
	99	+; It's not possible to decide to force a variable to be passed by reference
	100	+; when calling a function. The PHP 4 style to do this is by making the
	101	+; function require the relevant argument by reference.
95a30b9d	102
4342041a	103	;;;;;;;;;;;;;;;;;;;;
a00e0eb8 AM	104	; Language Options ;
a00e0eb8 AM	105	@@ -86,7 +153,7 @@
9fab2fdf JK	106	asp_tags = Off
	107
	108	; The number of significant digits displayed in floating point numbers.
cc1337ae JK	109	-precision = 12
cc1337ae JK	110	+precision = 14
9fab2fdf JK	111
9fab2fdf JK	112	; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
4342041a	113	y2k_compliance = On
95a30b9d	114	@@ -301,14 +368,16 @@
4342041a	115	;
62277197	116	; - Show all errors except for notices and coding standards warnings
0ced536a	117	;
62277197 AM	118	-error_reporting = E_ALL & ~E_NOTICE
	119	+;error_reporting = E_ALL & ~E_NOTICE
	120	+
	121	+error_reporting = E_ALL
4342041a JB	122
	123	; Print out errors (as a part of the output). For production web sites,
	124	; you're strongly encouraged to turn this feature off, and use error logging
	125	; instead (see below). Keeping display_errors enabled on a production web site
	126	; may reveal security information to end users, such as file paths on your Web
	127	; server, your database schema or other information.
	128	-display_errors = On
	129	+display_errors = Off
	130
	131	; Even when display_errors is on, errors that occur during PHP's startup
	132	; sequence are not displayed. It's strongly recommended to keep
95a30b9d	133	@@ -318,7 +387,7 @@
2f814ad2 ER	134	; Log errors into a log file (server-specific log, stderr, or error_log (below))
	135	; As stated above, you're strongly advised to use error logging in place of
	136	; error displaying on production web sites.
	137	-log_errors = Off
	138	+log_errors = On
	139
	140	; Set maximum length of log_errors. In error_log information about the source is
	141	; added. The default is 1024 and 0 allows to not apply any maximum length at all.
95a30b9d	142	@@ -345,7 +414,7 @@
87831047 ER	143
	144	; Disable the inclusion of HTML tags in error messages.
	145	; Note: Never use this feature for production boxes.
	146	-;html_errors = Off
	147	+html_errors = Off
	148
	149	; If html_errors is set On PHP produces clickable error messages that direct
	150	; to a page describing the error or function causing the error in detail.
95a30b9d	151	@@ -389,7 +458,7 @@
20e4fbdf ER	152	; Environment and Built-in variables (G, P, C, E & S respectively, often
	153	; referred to as EGPCS or GPC). Registration is done from left to right, newer
	154	; values override older values.
	155	-variables_order = "EGPCS"
	156	+variables_order = "GPCS"
	157
	158	; Whether or not to register the EGPCS variables as global variables. You may
	159	; want to turn this off if you don't want to clutter your scripts' global scope
95a30b9d	160	@@ -405,12 +474,12 @@
20e4fbdf ER	161	; Whether or not to register the old-style input arrays, HTTP_GET_VARS
	162	; and friends. If you're not using them, it's recommended to turn them off,
	163	; for performance reasons.
	164	-register_long_arrays = On
	165	+register_long_arrays = Off
	166
	167	; This directive tells PHP whether to declare the argv&argc variables (that
	168	; would contain the GET information). If you don't use these variables, you
	169	; should turn it off for increased performance.
	170	-register_argc_argv = On
	171	+register_argc_argv = Off
	172
	173	; When enabled, the SERVER and ENV variables are created when they're first
	174	; used (Just In Time) instead of when the script starts. If these variables
95a30b9d	175	@@ -426,7 +495,7 @@
20e4fbdf ER	176	;
	177
	178	; Magic quotes for incoming GET/POST/Cookie data.
	179	-magic_quotes_gpc = On
	180	+magic_quotes_gpc = Off
	181
	182	; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
	183	magic_quotes_runtime = Off
95a30b9d	184	@@ -472,7 +541,7 @@
62277197 AM	185	user_dir =
	186
	187	; Directory in which the loadable extensions (modules) reside.
	188	-extension_dir = "./"
	189	+extension_dir = "/usr/lib/php"
	190
	191	; Whether or not to enable the dl() function. The dl() function does NOT work
	192	; properly in multithreaded servers, such as IIS or Zeus, and is automatically
95a30b9d	193	@@ -533,7 +602,7 @@
20e4fbdf ER	194	;;;;;;;;;;;;;;;;;;
	195
	196	; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
	197	-allow_url_fopen = On
	198	+allow_url_fopen = Off
	199
95a30b9d ER	200	; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
	201	allow_url_include = Off
	202	@@ -576,48 +645,6 @@
bdc88c24 ER	203	; needs to go here. Specify the location of the extension with the
	204	; extension_dir directive above.
	205
	206	-
	207	-; Windows Extensions
	208	-; Note that ODBC support is built in, so no dll is needed for it.
	209	-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
	210	-; extension folders as well as the separate PECL DLL download (PHP 5).
	211	-; Be sure to appropriately set the extension_dir directive.
	212	-
	213	-;extension=php_mbstring.dll
	214	-;extension=php_bz2.dll
	215	-;extension=php_curl.dll
	216	-;extension=php_dba.dll
	217	-;extension=php_dbase.dll
	218	-;extension=php_exif.dll
	219	-;extension=php_fdf.dll
	220	-;extension=php_filepro.dll
	221	-;extension=php_gd2.dll
	222	-;extension=php_gettext.dll
	223	-;extension=php_ifx.dll
	224	-;extension=php_imap.dll
	225	-;extension=php_interbase.dll
	226	-;extension=php_ldap.dll
	227	-;extension=php_mcrypt.dll
	228	-;extension=php_mhash.dll
	229	-;extension=php_mime_magic.dll
	230	-;extension=php_ming.dll
	231	-;extension=php_mssql.dll
	232	-;extension=php_msql.dll
	233	-;extension=php_mysql.dll
	234	-;extension=php_oci8.dll
	235	-;extension=php_openssl.dll
	236	-;extension=php_oracle.dll
	237	-;extension=php_pgsql.dll
	238	-;extension=php_shmop.dll
	239	-;extension=php_snmp.dll
	240	-;extension=php_sockets.dll
	241	-;extension=php_sqlite.dll
	242	-;extension=php_sybase_ct.dll
	243	-;extension=php_tidy.dll
	244	-;extension=php_xmlrpc.dll
	245	-;extension=php_xsl.dll
	246	-
	247	-
	248	;;;;;;;;;;;;;;;;;;;
	249	; Module Settings ;
	250	;;;;;;;;;;;;;;;;;;;
95a30b9d	251	@@ -1205,7 +1232,7 @@
614d53e4 ER	252	; Enables or disables WSDL caching feature.
	253	soap.wsdl_cache_enabled=1
	254	; Sets the directory name where SOAP extension will put cache files.
	255	-soap.wsdl_cache_dir="/tmp"
	256	+soap.wsdl_cache_dir="/var/run/php"
	257	; (time to live) Sets the number of second while cached file will be used
	258	; instead of original one.
	259	soap.wsdl_cache_ttl=86400