]>
Commit | Line | Data |
---|---|---|
71398d48 | 1 | --- php-4.3.0/php.ini-dist Thu Dec 26 14:27:08 2002 |
2 | +++ php-4.3.0/php.ini Sat Jan 4 21:01:55 2003 | |
3 | @@ -3,12 +3,18 @@ | |
422bc385 JB |
4 | ;;;;;;;;;;; |
5 | ; WARNING ; | |
6 | ;;;;;;;;;;; | |
7 | -; This is the default settings file for new PHP installations. | |
8 | -; By default, PHP installs itself with a configuration suitable for | |
9 | -; development purposes, and *NOT* for production purposes. | |
10 | -; For several security-oriented considerations that should be taken | |
11 | -; before going online with your site, please consult php.ini-recommended | |
12 | -; and http://php.net/manual/en/security.php. | |
13 | +; This is the default settings file for new PHP installations from | |
14 | +; PLD Linux Distribution. | |
15 | +; It's based mainly on php.ini-dist, but with some changes made with | |
16 | +; security in mind (see below, consult also | |
17 | +; http://php.net/manual/en/security.php). | |
18 | +; | |
2c4d115a | 19 | +; Please note, that in PLD installations, /etc/php4/php.ini file |
71398d48 | 20 | +; contains GLOBAL settings for all SAPIs (cgi, cli, apache...), |
2c4d115a ER |
21 | +; and after reading this file, SAPI-specific file (/etc/php4/php-cgi.ini, |
22 | +; /etc/php4/php-cli.ini, /etc/php4/php-apache.ini...) is INCLUDED | |
71398d48 | 23 | +; (so you don't need to duplicate whole large file to override only |
24 | +; few options). | |
25 | ||
422bc385 JB |
26 | |
27 | ;;;;;;;;;;;;;;;;;;; | |
71398d48 | 28 | @@ -54,12 +60,70 @@ |
422bc385 JB |
29 | ; If you use constants in your value, and these constants belong to a |
30 | ; dynamically loaded extension (either a PHP extension or a Zend extension), | |
31 | ; you may only use these constants *after* the line that loads the extension. | |
32 | -; | |
33 | -; All the values in the php.ini-dist file correspond to the builtin | |
34 | -; defaults (that is, if no php.ini is used, or if you delete these lines, | |
35 | -; the builtin defaults will be identical). | |
71398d48 | 36 | |
37 | ||
422bc385 JB |
38 | +; Below is the list of settings changed from default as specified in |
39 | +; php.ini-recommended. These settings make PHP more secure and encourage | |
40 | +; cleaner coding. | |
41 | +; The price is that with these settings, PHP may be incompatible with some old | |
42 | +; or bad-written applications, and sometimes, more difficult to develop with. | |
43 | +; Using this settings is warmly recommended for production sites. As all of | |
44 | +; the changes from the standard settings are thoroughly documented, you can | |
45 | +; go over each one, and decide whether you want to use it or not. | |
46 | +; | |
47 | +; - register_globals = Off [Security, Performance] | |
48 | +; Global variables are no longer registered for input data (POST, GET, cookies, | |
49 | +; environment and other server variables). Instead of using $foo, you must use | |
50 | +; you can use $_REQUEST["foo"] (includes any variable that arrives through the | |
51 | +; request, namely, POST, GET and cookie variables), or use one of the specific | |
52 | +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending | |
53 | +; on where the input originates. Also, you can look at the | |
54 | +; import_request_variables() function. | |
55 | +; Note that register_globals = Off is the default setting since PHP 4.2.0. | |
56 | +; - display_errors = Off [Security] | |
57 | +; With this directive set to off, errors that occur during the execution of | |
58 | +; scripts will no longer be displayed as a part of the script output, and thus, | |
59 | +; will no longer be exposed to remote users. With some errors, the error message | |
60 | +; content may expose information about your script, web server, or database | |
61 | +; server that may be exploitable for hacking. Production sites should have this | |
62 | +; directive set to off. | |
63 | +; - log_errors = On [Security] | |
64 | +; This directive complements the above one. Any errors that occur during the | |
65 | +; execution of your script will be logged (typically, to your server's error log, | |
66 | +; but can be configured in several ways). Along with setting display_errors to off, | |
67 | +; this setup gives you the ability to fully understand what may have gone wrong, | |
68 | +; without exposing any sensitive information to remote users. | |
69 | +; - error_reporting = E_ALL [Code Cleanliness, Security(?)] | |
70 | +; By default, PHP surpresses errors of type E_NOTICE. These error messages | |
71 | +; are emitted for non-critical errors, but that could be a symptom of a bigger | |
72 | +; problem. Most notably, this will cause error messages about the use | |
73 | +; of uninitialized variables to be displayed. | |
74 | + | |
75 | +; For completeness, below is list of the rest of changes recommended for | |
76 | +; performance, but NOT applied in default php.ini in PLD (since they are | |
77 | +; not needed for security or may cause problems with some applications | |
78 | +; more likely than above). | |
79 | + | |
80 | +; - output_buffering = 4096 [Performance] | |
81 | +; Set a 4KB output buffer. Enabling output buffering typically results in less | |
82 | +; writes, and sometimes less packets sent on the wire, which can often lead to | |
83 | +; better performance. The gain this directive actually yields greatly depends | |
84 | +; on which Web server you're working with, and what kind of scripts you're using. | |
85 | +; - register_argc_argv = Off [Performance] | |
86 | +; Disables registration of the somewhat redundant $argv and $argc global | |
87 | +; variables. | |
88 | +; - magic_quotes_gpc = Off [Performance] | |
89 | +; Input data is no longer escaped with slashes so that it can be sent into | |
90 | +; SQL databases without further manipulation. Instead, you should use the | |
91 | +; function addslashes() on each input element you wish to send to a database. | |
92 | +; - variables_order = "GPCS" [Performance] | |
93 | +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access | |
94 | +; environment variables, you can use getenv() instead. | |
95 | +; - allow_call_time_pass_reference = Off [Code cleanliness] | |
96 | +; It's not possible to decide to force a variable to be passed by reference | |
97 | +; when calling a function. The PHP 4 style to do this is by making the | |
98 | +; function require the relevant argument by reference. | |
71398d48 | 99 | + |
100 | ;;;;;;;;;;;;;;;;;;;; | |
101 | ; Language Options ; | |
422bc385 JB |
102 | ;;;;;;;;;;;;;;;;;;;; |
103 | @@ -79,7 +143,7 @@ | |
264adc49 JK |
104 | asp_tags = Off |
105 | ||
106 | ; The number of significant digits displayed in floating point numbers. | |
dc234cda JK |
107 | -precision = 12 |
108 | +precision = 14 | |
264adc49 JK |
109 | |
110 | ; Enforce year 2000 compliance (will cause problems with non-compliant browsers) | |
422bc385 | 111 | y2k_compliance = On |
71398d48 | 112 | @@ -255,16 +319,16 @@ |
113 | ; | |
114 | ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR | |
422bc385 | 115 | ; |
71398d48 | 116 | -; - Show all errors except for notices |
117 | +; - Show all errors | |
be0f10a8 | 118 | ; |
71398d48 | 119 | -error_reporting = E_ALL & ~E_NOTICE |
422bc385 JB |
120 | +error_reporting = E_ALL |
121 | ||
122 | ; Print out errors (as a part of the output). For production web sites, | |
123 | ; you're strongly encouraged to turn this feature off, and use error logging | |
124 | ; instead (see below). Keeping display_errors enabled on a production web site | |
125 | ; may reveal security information to end users, such as file paths on your Web | |
126 | ; server, your database schema or other information. | |
127 | -display_errors = On | |
128 | +display_errors = Off | |
129 | ||
130 | ; Even when display_errors is on, errors that occur during PHP's startup | |
131 | ; sequence are not displayed. It's strongly recommended to keep | |
71398d48 | 132 | @@ -274,7 +338,7 @@ |
133 | ; Log errors into a log file (server-specific log, stderr, or error_log (below)) | |
134 | ; As stated above, you're strongly advised to use error logging in place of | |
135 | ; error displaying on production web sites. | |
136 | -log_errors = Off | |
137 | +log_errors = On | |
138 | ||
139 | ; Set maximum length of log_errors. In error_log information about the source is | |
140 | ; added. The default is 1024 and 0 allows to not apply any maximum length at all. | |
141 | @@ -420,7 +484,7 @@ | |
571f466d GS |
142 | user_dir = |
143 | ||
144 | ; Directory in which the loadable extensions (modules) reside. | |
23ff9a45 | 145 | -extension_dir = "./" |
b25b8ac0 | 146 | +extension_dir = "/usr/lib/php4" |
571f466d GS |
147 | |
148 | ; Whether or not to enable the dl() function. The dl() function does NOT work | |
149 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically | |
71398d48 | 150 | @@ -587,10 +651,10 @@ |
151 | ;sendmail_path = | |
152 | ||
153 | [Java] | |
154 | -;java.class.path = .\php_java.jar | |
155 | -;java.home = c:\jdk | |
156 | -;java.library = c:\jdk\jre\bin\hotspot\jvm.dll | |
157 | -;java.library.path = .\ | |
b25b8ac0 | 158 | +java.class.path = /usr/lib/php4/php_java.jar |
71398d48 | 159 | +;java.home = /usr/lib/java |
160 | +;java.library = /usr/lib/java/jre/lib/i386/libjava.so | |
b25b8ac0 | 161 | +java.library.path = /usr/lib/php4 |
71398d48 | 162 | |
163 | [SQL] | |
164 | sql.safe_mode = Off | |
165 | @@ -685,6 +749,7 @@ | |
166 | pgsql.max_links = -1 | |
167 | ||
168 | ; Ignore PostgreSQL backends Notice message or not. | |
169 | +; Notice message logging require a little overheads. | |
170 | pgsql.ignore_notice = 0 | |
171 | ||
172 | ; Log PostgreSQL backends Noitce message or not. | |
173 | @@ -804,7 +869,9 @@ | |
174 | ; You can use the script in the ext/session dir for that purpose. | |
175 | ; NOTE 2: See the section on garbage collection below if you choose to | |
176 | ; use subdirectories for session storage | |
177 | -;session.save_path = /tmp | |
178 | +; NOTE 3: you may need to override this setting for cli or cgi SAPIs, | |
179 | +; to allow running them as user other than http | |
180 | +session.save_path = /var/run/php | |
181 | ||
182 | ; Whether to use cookies. | |
183 | session.use_cookies = 1 | |
3f0dc43e ER |
184 | --- ./php.ini~ 2005-07-14 17:34:35.000000000 +0300 |
185 | +++ ./php.ini 2005-07-14 20:14:13.000000000 +0300 | |
804b5775 | 186 | @@ -598,56 +598,6 @@ |
3f0dc43e ER |
187 | ; needs to go here. Specify the location of the extension with the |
188 | ; extension_dir directive above. | |
189 | ||
190 | - | |
191 | -;Windows Extensions | |
192 | -;Note that MySQL and ODBC support is now built in, so no dll is needed for it. | |
193 | -; | |
194 | -;extension=php_mbstring.dll | |
195 | -;extension=php_bz2.dll | |
196 | -;extension=php_cpdf.dll | |
197 | -;extension=php_crack.dll | |
198 | -;extension=php_curl.dll | |
199 | -;extension=php_db.dll | |
200 | -;extension=php_dba.dll | |
201 | -;extension=php_dbase.dll | |
202 | -;extension=php_dbx.dll | |
203 | -;extension=php_domxml.dll | |
204 | -;extension=php_exif.dll | |
205 | -;extension=php_fdf.dll | |
206 | -;extension=php_filepro.dll | |
207 | -;extension=php_gd2.dll | |
208 | -;extension=php_gettext.dll | |
209 | -;extension=php_hyperwave.dll | |
210 | -;extension=php_iconv.dll | |
211 | -;extension=php_ifx.dll | |
212 | -;extension=php_iisfunc.dll | |
213 | -;extension=php_imap.dll | |
214 | -;extension=php_interbase.dll | |
215 | -;extension=php_java.dll | |
216 | -;extension=php_ldap.dll | |
217 | -;extension=php_mcrypt.dll | |
218 | -;extension=php_mhash.dll | |
219 | -;extension=php_mime_magic.dll | |
220 | -;extension=php_ming.dll | |
221 | -;extension=php_mssql.dll | |
222 | -;extension=php_msql.dll | |
223 | -;extension=php_oci8.dll | |
224 | -;extension=php_openssl.dll | |
225 | -;extension=php_oracle.dll | |
226 | -;extension=php_pdf.dll | |
227 | -;extension=php_pgsql.dll | |
228 | -;extension=php_printer.dll | |
229 | -;extension=php_shmop.dll | |
230 | -;extension=php_snmp.dll | |
231 | -;extension=php_sockets.dll | |
232 | -;extension=php_sybase_ct.dll | |
233 | -;extension=php_w32api.dll | |
234 | -;extension=php_xmlrpc.dll | |
235 | -;extension=php_xslt.dll | |
236 | -;extension=php_yaz.dll | |
237 | -;extension=php_zip.dll | |
804b5775 ER |
238 | - |
239 | - | |
240 | ;;;;;;;;;;;;;;;;;;; | |
241 | ; Module Settings ; | |
3f0dc43e | 242 | ;;;;;;;;;;;;;;;;;;; |
84b30072 ER |
243 | --- ./php.ini.old 2003-07-20 03:14:22.000000000 -0700 |
244 | +++ ./php.ini 2003-07-20 03:14:51.000000000 -0700 | |
245 | @@ -488,7 +488,9 @@ | |
246 | ;;;;;;;;;;;;;;;;;; | |
247 | ||
248 | ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. | |
249 | -allow_url_fopen = On | |
250 | +; allow_url_fopen = On | |
251 | +; Closed for security - <glen@pld-linux.org> | |
252 | +allow_url_fopen = Off | |
253 | ||
254 | ; Define the anonymous ftp password (your email address) | |
255 | ;from="john@doe.com" |