-diff -durN php-4.3.0.orig/php.ini php-4.3.0/php.ini
---- php-4.3.0.orig/php.ini Wed Aug 7 18:24:45 2002
-+++ php-4.3.0/php.ini Wed Aug 7 18:30:27 2002
-@@ -74,7 +74,7 @@
+--- php-4.3.0/php.ini-dist Thu Dec 26 14:27:08 2002
++++ php-4.3.0/php.ini Sat Jan 4 21:01:55 2003
+@@ -3,12 +3,18 @@
+ ;;;;;;;;;;;
+ ; WARNING ;
+ ;;;;;;;;;;;
+-; This is the default settings file for new PHP installations.
+-; By default, PHP installs itself with a configuration suitable for
+-; development purposes, and *NOT* for production purposes.
+-; For several security-oriented considerations that should be taken
+-; before going online with your site, please consult php.ini-recommended
+-; and http://php.net/manual/en/security.php.
++; This is the default settings file for new PHP installations from
++; PLD Linux Distribution.
++; It's based mainly on php.ini-dist, but with some changes made with
++; security in mind (see below, consult also
++; http://php.net/manual/en/security.php).
++;
++; Please note, that in PLD installations, /etc/php/php.ini file
++; contains GLOBAL settings for all SAPIs (cgi, cli, apache...),
++; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini,
++; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
++; (so you don't need to duplicate whole large file to override only
++; few options).
+
+
+ ;;;;;;;;;;;;;;;;;;;
+@@ -54,12 +60,70 @@
+ ; If you use constants in your value, and these constants belong to a
+ ; dynamically loaded extension (either a PHP extension or a Zend extension),
+ ; you may only use these constants *after* the line that loads the extension.
+-;
+-; All the values in the php.ini-dist file correspond to the builtin
+-; defaults (that is, if no php.ini is used, or if you delete these lines,
+-; the builtin defaults will be identical).
+
+
++; Below is the list of settings changed from default as specified in
++; php.ini-recommended. These settings make PHP more secure and encourage
++; cleaner coding.
++; The price is that with these settings, PHP may be incompatible with some old
++; or bad-written applications, and sometimes, more difficult to develop with.
++; Using this settings is warmly recommended for production sites. As all of
++; the changes from the standard settings are thoroughly documented, you can
++; go over each one, and decide whether you want to use it or not.
++;
++; - register_globals = Off [Security, Performance]
++; Global variables are no longer registered for input data (POST, GET, cookies,
++; environment and other server variables). Instead of using $foo, you must use
++; you can use $_REQUEST["foo"] (includes any variable that arrives through the
++; request, namely, POST, GET and cookie variables), or use one of the specific
++; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
++; on where the input originates. Also, you can look at the
++; import_request_variables() function.
++; Note that register_globals = Off is the default setting since PHP 4.2.0.
++; - display_errors = Off [Security]
++; With this directive set to off, errors that occur during the execution of
++; scripts will no longer be displayed as a part of the script output, and thus,
++; will no longer be exposed to remote users. With some errors, the error message
++; content may expose information about your script, web server, or database
++; server that may be exploitable for hacking. Production sites should have this
++; directive set to off.
++; - log_errors = On [Security]
++; This directive complements the above one. Any errors that occur during the
++; execution of your script will be logged (typically, to your server's error log,
++; but can be configured in several ways). Along with setting display_errors to off,
++; this setup gives you the ability to fully understand what may have gone wrong,
++; without exposing any sensitive information to remote users.
++; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
++; By default, PHP surpresses errors of type E_NOTICE. These error messages
++; are emitted for non-critical errors, but that could be a symptom of a bigger
++; problem. Most notably, this will cause error messages about the use
++; of uninitialized variables to be displayed.
++
++; For completeness, below is list of the rest of changes recommended for
++; performance, but NOT applied in default php.ini in PLD (since they are
++; not needed for security or may cause problems with some applications
++; more likely than above).
++
++; - output_buffering = 4096 [Performance]
++; Set a 4KB output buffer. Enabling output buffering typically results in less
++; writes, and sometimes less packets sent on the wire, which can often lead to
++; better performance. The gain this directive actually yields greatly depends
++; on which Web server you're working with, and what kind of scripts you're using.
++; - register_argc_argv = Off [Performance]
++; Disables registration of the somewhat redundant $argv and $argc global
++; variables.
++; - magic_quotes_gpc = Off [Performance]
++; Input data is no longer escaped with slashes so that it can be sent into
++; SQL databases without further manipulation. Instead, you should use the
++; function addslashes() on each input element you wish to send to a database.
++; - variables_order = "GPCS" [Performance]
++; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access
++; environment variables, you can use getenv() instead.
++; - allow_call_time_pass_reference = Off [Code cleanliness]
++; It's not possible to decide to force a variable to be passed by reference
++; when calling a function. The PHP 4 style to do this is by making the
++; function require the relevant argument by reference.
++
+ ;;;;;;;;;;;;;;;;;;;;
+ ; Language Options ;
+ ;;;;;;;;;;;;;;;;;;;;
+@@ -79,7 +143,7 @@
asp_tags = Off
; The number of significant digits displayed in floating point numbers.
+precision = 14
; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
- y2k_compliance = Off
-@@ -371,7 +371,7 @@
+ y2k_compliance = On
+@@ -255,16 +319,16 @@
+ ;
+ ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
+ ;
+-; - Show all errors except for notices
++; - Show all errors
+ ;
+-error_reporting = E_ALL & ~E_NOTICE
++error_reporting = E_ALL
+
+ ; Print out errors (as a part of the output). For production web sites,
+ ; you're strongly encouraged to turn this feature off, and use error logging
+ ; instead (see below). Keeping display_errors enabled on a production web site
+ ; may reveal security information to end users, such as file paths on your Web
+ ; server, your database schema or other information.
+-display_errors = On
++display_errors = Off
+
+ ; Even when display_errors is on, errors that occur during PHP's startup
+ ; sequence are not displayed. It's strongly recommended to keep
+@@ -274,7 +338,7 @@
+ ; Log errors into a log file (server-specific log, stderr, or error_log (below))
+ ; As stated above, you're strongly advised to use error logging in place of
+ ; error displaying on production web sites.
+-log_errors = Off
++log_errors = On
+
+ ; Set maximum length of log_errors. In error_log information about the source is
+ ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+@@ -420,7 +484,7 @@
user_dir =
; Directory in which the loadable extensions (modules) reside.
; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -692,7 +692,7 @@
+@@ -587,10 +651,10 @@
+ ;sendmail_path =
+
+ [Java]
+-;java.class.path = .\php_java.jar
+-;java.home = c:\jdk
+-;java.library = c:\jdk\jre\bin\hotspot\jvm.dll
+-;java.library.path = .\
++java.class.path = /usr/lib/php/php_java.jar
++;java.home = /usr/lib/java
++;java.library = /usr/lib/java/jre/lib/i386/libjava.so
++java.library.path = /usr/lib/php
+
+ [SQL]
+ sql.safe_mode = Off
+@@ -685,6 +749,7 @@
+ pgsql.max_links = -1
+
+ ; Ignore PostgreSQL backends Notice message or not.
++; Notice message logging require a little overheads.
+ pgsql.ignore_notice = 0
+
+ ; Log PostgreSQL backends Noitce message or not.
+@@ -804,7 +869,9 @@
; You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
; use subdirectories for session storage
-session.save_path = /tmp
++; NOTE 3: you may need to override this setting for cli or cgi SAPIs,
++; to allow running them as user other than http
+session.save_path = /var/run/php
; Whether to use cookies.
# - msession module causes SEGV during phpinfo()
# (only in Ra? doesn't happen in my environment)
# - pear - isn't built now, what is still needed???
-# - fastcgi option in cgi SAPI?
-# - add cli SAPI?
-# maybe /usr/bin/php.{cli,cgi,fcgi}, but which one should be /usr/bin/php?
-# - add notes about different behaviour (global file + included SAPI files)
-# to php*.ini
-# - look at security notes in php.ini-recommended (ugh), update ini patch;
-# set java.{class,library}.path appropriately
-# - check/update "experimental" in descriptions
+# - fastcgi option in cgi SAPI? or separate fcgi SAPI?
#
# Automatic pear requirements finding:
%include /usr/lib/rpm/macros.php
Source5: %{name}-mod_%{name}.conf
Source6: %{name}-cgi.ini
Source7: %{name}-apache.ini
+Source8: %{name}-cli.ini
Patch0: %{name}-shared.patch
Patch1: %{name}-pldlogo.patch
Patch2: %{name}-xml-expat-fix.patch
%package cgi
Summary: PHP as CGI program
Summary(pl): PHP jako program CGI
-Group: Libraries
+Group: Development/Languages/PHP
PreReq: %{name}-common = %{version}
+Provides: php-program = %{version}
%description cgi
PHP as CGI program.
%description cgi -l pl
PHP jako program CGI.
+%package cli
+Summary: PHP as CLI interpreter
+Summary(pl): PHP jako interpreter dzia³aj±cy z linii poleceñ
+Group: Development/Languages/PHP
+PreReq: %{name}-common = %{version}
+Provides: php-program = %{version}
+
+%description cli
+PHP as CLI interpreter.
+
+%description cli -l pl
+PHP jako interpreter dzia³aj±cy z linii poleceñ.
+
%package common
Summary: Common files nneded by both apache module and CGI
Summary(pl): Wspólne pliki dla modu³u apache'a i programu CGI
Summary: Process Control extension module for PHP
Summary(pl): Modu³ Process Control dla PHP
Group: Libraries
-Requires(post,preun):%{name}-cgi = %{version}
-Requires: %{name}-cgi = %{version}
+Requires(post,preun):%{name}-program = %{version}
+Requires: %{name}-program = %{version}
%description pcntl
This is a dynamic shared object (DSO) for Apache that will add process
%{__aclocal}
autoconf
PROG_SENDMAIL="/usr/lib/sendmail"; export PROG_SENDMAIL
-for i in cgi fcgi cli apxs ; do
+for i in cgi cli apxs ; do
%configure \
`[ $i = cgi ] && echo --enable-discard-path` \
`[ $i != cli ] && echo --disable-cli` \
--with-zlib-dir=shared,/usr
cp -f Makefile Makefile.$i
-# for testing:
-cp -f main/php_config.h php_config.h.$i
done
# for now session_mm doesn't work with shared session module...
perl -pi -e "s|^libdir=.*|libdir='%{_libdir}/apache'|" libphp4.la
perl -pi -e "s|^(relink_command=.* -rpath )[^ ]*/libs |\1%{_libdir}/apache |" libphp4.la
+# notes:
+# -DENABLE_CHROOT_FUNC=1 (cgi,fcgi) is used in ext/standard/dir.c (libphp_common)
+# -DPHP_WRITE_STDOUT is used also for cli, but not set by its config.m4
+
%{__make} sapi/cgi/php -f Makefile.cgi \
- CFLAGS_CLEAN="%{rpmcflags} -DDISCARD_PATH=1"
+ CFLAGS_CLEAN="%{rpmcflags} -DDISCARD_PATH=1 -DENABLE_PATHINFO_CHECK=1 -DFORCE_CGI_REDIRECT=0 -DPHP_WRITE_STDOUT=1"
+
%{__make} sapi/cli/php -f Makefile.cli
+# for fcgi: -DDISCARD_PATH=0 -DENABLE_PATHINFO_CHECK=1 -DFORCE_CGI_REDIRECT=0
+# -DHAVE_FILENO_PROTO=1 -DHAVE_FPOS=1 -DHAVE_LIBNSL=1(die) -DHAVE_SYS_PARAM_H=1
+# -DPHP_FASTCGI=1 -DPHP_FCGI_STATIC=1 -DPHP_WRITE_STDOUT=1
+
%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT{%{_libdir}/{php,apache},%{_sysconfdir}/{apache,cgi}} \
%{__make} install install-build install-programs install-headers \
INSTALL_ROOT=$RPM_BUILD_ROOT \
- INSTALL_IT="\$(LIBTOOL) --mode=install install libphp_common.la $RPM_BUILD_ROOT%{_libdir} ; \$(LIBTOOL) --mode=install install libphp4.la $RPM_BUILD_ROOT%{_libdir}/apache ; \$(LIBTOOL) --mode=install install sapi/cgi/php $RPM_BUILD_ROOT%{_bindir}"
+ INSTALL_IT="\$(LIBTOOL) --mode=install install libphp_common.la $RPM_BUILD_ROOT%{_libdir} ; \$(LIBTOOL) --mode=install install libphp4.la $RPM_BUILD_ROOT%{_libdir}/apache ; \$(LIBTOOL) --mode=install install sapi/cgi/php $RPM_BUILD_ROOT%{_bindir}/php.cgi ; \$(LIBTOOL) --mode=install install sapi/cli/php $RPM_BUILD_ROOT%{_bindir}/php.cli"
+
+# compatibility (/usr/bin/php used to be CGI SAPI)
+ln -sf php.cgi $RPM_BUILD_ROOT%{_bindir}/php
%{?_with_java:install ext/java/php_java.jar $RPM_BUILD_ROOT%{extensionsdir}}
install php.ini $RPM_BUILD_ROOT%{_sysconfdir}/php.ini
-install %{SOURCE6} %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}
+install %{SOURCE6} %{SOURCE7} %{SOURCE8} $RPM_BUILD_ROOT%{_sysconfdir}
install %{SOURCE2} php.gif $RPM_BUILD_ROOT%{httpdir}/icons
install %{SOURCE4} $RPM_BUILD_ROOT%{_sbindir}
install %{SOURCE5} $RPM_BUILD_ROOT/etc/httpd/httpd.conf/70_mod_php.conf
fi
%post pcntl
+if [ -f %{_sysconfdir}/php-cgi.ini ]; then
%{_sbindir}/php-module-install install pcntl %{_sysconfdir}/php-cgi.ini
+fi
+if [ -f %{_sysconfdir}/php-cli.ini ]; then
+%{_sbindir}/php-module-install install pcntl %{_sysconfdir}/php-cli.ini
+fi
%preun pcntl
if [ "$1" = "0" ]; then
+ if [ -f %{_sysconfdir}/php-cgi.ini ]; then
%{_sbindir}/php-module-install remove pcntl %{_sysconfdir}/php-cgi.ini
+ fi
+ if [ -f %{_sysconfdir}/php-cli.ini ]; then
+ %{_sbindir}/php-module-install remove pcntl %{_sysconfdir}/php-cli.ini
+ fi
fi
%post pcre
%files cgi
%defattr(644,root,root,755)
+%attr(755,root,root) %{_bindir}/php.cgi
%attr(755,root,root) %{_bindir}/php
%config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/php-cgi.ini
+%files cli
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_bindir}/php.cli
+%config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/php-cli.ini
+
%files common
%defattr(644,root,root,755)
%doc php.ini-*