[packages/php.git] / php-ini.patch

--- php-4.3.0/php.ini-dist	Thu Dec 26 14:27:08 2002
+++ php-4.3.0/php.ini	Sat Jan  4 21:01:55 2003
@@ -3,12 +3,18 @@
 ;;;;;;;;;;;
 ; WARNING ;
 ;;;;;;;;;;;
-; This is the default settings file for new PHP installations.
-; By default, PHP installs itself with a configuration suitable for
-; development purposes, and *NOT* for production purposes.
-; For several security-oriented considerations that should be taken
-; before going online with your site, please consult php.ini-recommended
-; and http://php.net/manual/en/security.php.
+; This is the default settings file for new PHP installations from
+; PLD Linux Distribution.
+; It's based mainly on php.ini-dist, but with some changes made with
+; security in mind (see below, consult also
+; http://php.net/manual/en/security.php).
+;
+; Please note, that in PLD installations, /etc/php/php.ini file
+; contains GLOBAL settings for all SAPIs (cgi, cli, apache...),
+; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
+; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
+; (so you don't need to duplicate whole large file to override only
+; few options).
 
 
 ;;;;;;;;;;;;;;;;;;;
@@ -54,12 +60,70 @@
 ; If you use constants in your value, and these constants belong to a
 ; dynamically loaded extension (either a PHP extension or a Zend extension),
 ; you may only use these constants *after* the line that loads the extension.
-;
-; All the values in the php.ini-dist file correspond to the builtin
-; defaults (that is, if no php.ini is used, or if you delete these lines,
-; the builtin defaults will be identical).
 
 
+; Below is the list of settings changed from default as specified in
+; php.ini-recommended. These settings make PHP more secure and encourage
+; cleaner coding.
+; The price is that with these settings, PHP may be incompatible with some old
+; or bad-written applications, and sometimes, more difficult to develop with.
+; Using this settings is warmly recommended for production sites.  As all of
+; the changes from the standard settings are thoroughly documented, you can
+; go over each one, and decide whether you want to use it or not.
+;
+; - register_globals = Off         [Security, Performance]
+;     Global variables are no longer registered for input data (POST, GET, cookies,
+;     environment and other server variables).  Instead of using $foo, you must use
+;     you can use $_REQUEST["foo"] (includes any variable that arrives through the
+;     request, namely, POST, GET and cookie variables), or use one of the specific
+;     $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
+;     on where the input originates.  Also, you can look at the
+;     import_request_variables() function.
+;     Note that register_globals = Off is the default setting since PHP 4.2.0.
+; - display_errors = Off           [Security]
+;     With this directive set to off, errors that occur during the execution of
+;     scripts will no longer be displayed as a part of the script output, and thus,
+;     will no longer be exposed to remote users.  With some errors, the error message
+;     content may expose information about your script, web server, or database
+;     server that may be exploitable for hacking.  Production sites should have this
+;     directive set to off.
+; - log_errors = On                [Security]
+;     This directive complements the above one.  Any errors that occur during the
+;     execution of your script will be logged (typically, to your server's error log,
+;     but can be configured in several ways).  Along with setting display_errors to off,
+;     this setup gives you the ability to fully understand what may have gone wrong,
+;     without exposing any sensitive information to remote users.
+; - error_reporting = E_ALL        [Code Cleanliness, Security(?)]
+;     By default, PHP surpresses errors of type E_NOTICE.  These error messages
+;     are emitted for non-critical errors, but that could be a symptom of a bigger
+;     problem.  Most notably, this will cause error messages about the use
+;     of uninitialized variables to be displayed.
+
+; For completeness, below is list of the rest of changes recommended for
+; performance, but NOT applied in default php.ini in PLD (since they are
+; not needed for security or may cause problems with some applications
+; more likely than above).
+
+; - output_buffering = 4096        [Performance]
+;     Set a 4KB output buffer.  Enabling output buffering typically results in less
+;     writes, and sometimes less packets sent on the wire, which can often lead to
+;     better performance.  The gain this directive actually yields greatly depends
+;     on which Web server you're working with, and what kind of scripts you're using.
+; - register_argc_argv = Off       [Performance]
+;     Disables registration of the somewhat redundant $argv and $argc global
+;     variables.
+; - magic_quotes_gpc = Off         [Performance]
+;     Input data is no longer escaped with slashes so that it can be sent into
+;     SQL databases without further manipulation.  Instead, you should use the
+;     function addslashes() on each input element you wish to send to a database.
+; - variables_order = "GPCS"       [Performance]
+;     The environment variables are not hashed into the $HTTP_ENV_VARS[].  To access
+;     environment variables, you can use getenv() instead.
+; - allow_call_time_pass_reference = Off     [Code cleanliness]
+;     It's not possible to decide to force a variable to be passed by reference
+;     when calling a function.  The PHP 4 style to do this is by making the
+;     function require the relevant argument by reference.
+
 ;;;;;;;;;;;;;;;;;;;;
 ; Language Options ;
 ;;;;;;;;;;;;;;;;;;;;
@@ -79,7 +143,7 @@
 asp_tags = Off
 
 ; The number of significant digits displayed in floating point numbers.
-precision    =  12
+precision    =  14
 
 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
 y2k_compliance = On
@@ -255,16 +319,16 @@
 ;
 ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
 ;
-;   - Show all errors except for notices
+;   - Show all errors
 ;
-error_reporting  =  E_ALL & ~E_NOTICE
+error_reporting  =  E_ALL
 
 ; Print out errors (as a part of the output).  For production web sites,
 ; you're strongly encouraged to turn this feature off, and use error logging
 ; instead (see below).  Keeping display_errors enabled on a production web site
 ; may reveal security information to end users, such as file paths on your Web
 ; server, your database schema or other information.
-display_errors = On
+display_errors = Off
 
 ; Even when display_errors is on, errors that occur during PHP's startup
 ; sequence are not displayed.  It's strongly recommended to keep
@@ -274,7 +338,7 @@
 ; Log errors into a log file (server-specific log, stderr, or error_log (below))
 ; As stated above, you're strongly advised to use error logging in place of
 ; error displaying on production web sites.
-log_errors = Off
+log_errors = On
 
 ; Set maximum length of log_errors. In error_log information about the source is
 ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
@@ -420,7 +484,7 @@
 user_dir =
 
 ; Directory in which the loadable extensions (modules) reside.
-extension_dir = "./"
+extension_dir = "/usr/lib/php"
 
 ; Whether or not to enable the dl() function.  The dl() function does NOT work
 ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
@@ -587,10 +651,10 @@
 ;sendmail_path =
 
 [Java]
-;java.class.path = .\php_java.jar
-;java.home = c:\jdk
-;java.library = c:\jdk\jre\bin\hotspot\jvm.dll 
-;java.library.path = .\
+java.class.path = /usr/lib/php/php_java.jar
+;java.home = /usr/lib/java
+;java.library = /usr/lib/java/jre/lib/i386/libjava.so
+java.library.path = /usr/lib/php
 
 [SQL]
 sql.safe_mode = Off
@@ -685,6 +749,7 @@
 pgsql.max_links = -1
 
 ; Ignore PostgreSQL backends Notice message or not.
+; Notice message logging require a little overheads.
 pgsql.ignore_notice = 0
 
 ; Log PostgreSQL backends Noitce message or not.
@@ -804,7 +869,9 @@
 ;         You can use the script in the ext/session dir for that purpose.
 ; NOTE 2: See the section on garbage collection below if you choose to
 ;         use subdirectories for session storage
-;session.save_path = /tmp
+; NOTE 3: you may need to override this setting for cli or cgi SAPIs,
+;         to allow running them as user other than http
+session.save_path = /var/run/php
 
 ; Whether to use cookies.
 session.use_cookies = 1
Commit	Line	Data
84a06529	1	--- php-4.3.0/php.ini-dist Thu Dec 26 14:27:08 2002
	2	+++ php-4.3.0/php.ini Sat Jan 4 21:01:55 2003
	3	@@ -3,12 +3,18 @@
	4	;;;;;;;;;;;
	5	; WARNING ;
	6	;;;;;;;;;;;
	7	-; This is the default settings file for new PHP installations.
	8	-; By default, PHP installs itself with a configuration suitable for
	9	-; development purposes, and NOT for production purposes.
	10	-; For several security-oriented considerations that should be taken
	11	-; before going online with your site, please consult php.ini-recommended
	12	-; and http://php.net/manual/en/security.php.
	13	+; This is the default settings file for new PHP installations from
	14	+; PLD Linux Distribution.
	15	+; It's based mainly on php.ini-dist, but with some changes made with
	16	+; security in mind (see below, consult also
	17	+; http://php.net/manual/en/security.php).
	18	+;
	19	+; Please note, that in PLD installations, /etc/php/php.ini file
	20	+; contains GLOBAL settings for all SAPIs (cgi, cli, apache...),
	21	+; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
	22	+; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
	23	+; (so you don't need to duplicate whole large file to override only
	24	+; few options).
	25
	26
	27	;;;;;;;;;;;;;;;;;;;
	28	@@ -54,12 +60,70 @@
	29	; If you use constants in your value, and these constants belong to a
	30	; dynamically loaded extension (either a PHP extension or a Zend extension),
	31	; you may only use these constants after the line that loads the extension.
	32	-;
	33	-; All the values in the php.ini-dist file correspond to the builtin
	34	-; defaults (that is, if no php.ini is used, or if you delete these lines,
	35	-; the builtin defaults will be identical).
	36
	37
	38	+; Below is the list of settings changed from default as specified in
	39	+; php.ini-recommended. These settings make PHP more secure and encourage
	40	+; cleaner coding.
	41	+; The price is that with these settings, PHP may be incompatible with some old
	42	+; or bad-written applications, and sometimes, more difficult to develop with.
	43	+; Using this settings is warmly recommended for production sites. As all of
	44	+; the changes from the standard settings are thoroughly documented, you can
	45	+; go over each one, and decide whether you want to use it or not.
	46	+;
	47	+; - register_globals = Off [Security, Performance]
	48	+; Global variables are no longer registered for input data (POST, GET, cookies,
	49	+; environment and other server variables). Instead of using $foo, you must use
	50	+; you can use $_REQUEST["foo"] (includes any variable that arrives through the
	51	+; request, namely, POST, GET and cookie variables), or use one of the specific
	52	+; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
	53	+; on where the input originates. Also, you can look at the
	54	+; import_request_variables() function.
	55	+; Note that register_globals = Off is the default setting since PHP 4.2.0.
	56	+; - display_errors = Off [Security]
	57	+; With this directive set to off, errors that occur during the execution of
	58	+; scripts will no longer be displayed as a part of the script output, and thus,
	59	+; will no longer be exposed to remote users. With some errors, the error message
	60	+; content may expose information about your script, web server, or database
	61	+; server that may be exploitable for hacking. Production sites should have this
	62	+; directive set to off.
	63	+; - log_errors = On [Security]
	64	+; This directive complements the above one. Any errors that occur during the
65	+; execution of your script will be logged (typically, to your server's error log,
66	+; but can be configured in several ways). Along with setting display_errors to off,
67	+; this setup gives you the ability to fully understand what may have gone wrong,
68	+; without exposing any sensitive information to remote users.
69	+; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
70	+; By default, PHP surpresses errors of type E_NOTICE. These error messages
71	+; are emitted for non-critical errors, but that could be a symptom of a bigger
72	+; problem. Most notably, this will cause error messages about the use
73	+; of uninitialized variables to be displayed.
74	+
75	+; For completeness, below is list of the rest of changes recommended for
76	+; performance, but NOT applied in default php.ini in PLD (since they are
77	+; not needed for security or may cause problems with some applications
78	+; more likely than above).
79	+
80	+; - output_buffering = 4096 [Performance]
81	+; Set a 4KB output buffer. Enabling output buffering typically results in less
82	+; writes, and sometimes less packets sent on the wire, which can often lead to
83	+; better performance. The gain this directive actually yields greatly depends
84	+; on which Web server you're working with, and what kind of scripts you're using.
85	+; - register_argc_argv = Off [Performance]
86	+; Disables registration of the somewhat redundant $argv and $argc global
87	+; variables.
88	+; - magic_quotes_gpc = Off [Performance]
89	+; Input data is no longer escaped with slashes so that it can be sent into
90	+; SQL databases without further manipulation. Instead, you should use the
91	+; function addslashes() on each input element you wish to send to a database.
92	+; - variables_order = "GPCS" [Performance]
93	+; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
94	+; environment variables, you can use getenv() instead.
95	+; - allow_call_time_pass_reference = Off [Code cleanliness]
96	+; It's not possible to decide to force a variable to be passed by reference
97	+; when calling a function. The PHP 4 style to do this is by making the
98	+; function require the relevant argument by reference.
99	+
100	;;;;;;;;;;;;;;;;;;;;
101	; Language Options ;
102	;;;;;;;;;;;;;;;;;;;;
103	@@ -79,7 +143,7 @@
104	asp_tags = Off
105
106	; The number of significant digits displayed in floating point numbers.
107	-precision = 12
108	+precision = 14
109
110	; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
111	y2k_compliance = On
112	@@ -255,16 +319,16 @@
113	;
114	;error_reporting = E_COMPILE_ERROR\|E_ERROR\|E_CORE_ERROR
115	;
116	-; - Show all errors except for notices
117	+; - Show all errors
118	;
119	-error_reporting = E_ALL & ~E_NOTICE
120	+error_reporting = E_ALL
121
122	; Print out errors (as a part of the output). For production web sites,
123	; you're strongly encouraged to turn this feature off, and use error logging
124	; instead (see below). Keeping display_errors enabled on a production web site
125	; may reveal security information to end users, such as file paths on your Web
126	; server, your database schema or other information.
127	-display_errors = On
128	+display_errors = Off
129
130	; Even when display_errors is on, errors that occur during PHP's startup
131	; sequence are not displayed. It's strongly recommended to keep
132	@@ -274,7 +338,7 @@
133	; Log errors into a log file (server-specific log, stderr, or error_log (below))
134	; As stated above, you're strongly advised to use error logging in place of
135	; error displaying on production web sites.
136	-log_errors = Off
137	+log_errors = On
138
139	; Set maximum length of log_errors. In error_log information about the source is
140	; added. The default is 1024 and 0 allows to not apply any maximum length at all.
141	@@ -420,7 +484,7 @@
142	user_dir =
143
144	; Directory in which the loadable extensions (modules) reside.
145	-extension_dir = "./"
146	+extension_dir = "/usr/lib/php"
147
148	; Whether or not to enable the dl() function. The dl() function does NOT work
149	; properly in multithreaded servers, such as IIS or Zeus, and is automatically
150	@@ -587,10 +651,10 @@
151	;sendmail_path =
152
153	[Java]
154	-;java.class.path = .\php_java.jar
155	-;java.home = c:\jdk
156	-;java.library = c:\jdk\jre\bin\hotspot\jvm.dll
157	-;java.library.path = .\
158	+java.class.path = /usr/lib/php/php_java.jar
159	+;java.home = /usr/lib/java
160	+;java.library = /usr/lib/java/jre/lib/i386/libjava.so
161	+java.library.path = /usr/lib/php
162
163	[SQL]
164	sql.safe_mode = Off
165	@@ -685,6 +749,7 @@
166	pgsql.max_links = -1
167
168	; Ignore PostgreSQL backends Notice message or not.
169	+; Notice message logging require a little overheads.
170	pgsql.ignore_notice = 0
171
172	; Log PostgreSQL backends Noitce message or not.
173	@@ -804,7 +869,9 @@
174	; You can use the script in the ext/session dir for that purpose.
175	; NOTE 2: See the section on garbage collection below if you choose to
176	; use subdirectories for session storage
177	-;session.save_path = /tmp
178	+; NOTE 3: you may need to override this setting for cli or cgi SAPIs,
179	+; to allow running them as user other than http
180	+session.save_path = /var/run/php
181
182	; Whether to use cookies.
183	session.use_cookies = 1