--- php-4.3.0/php.ini-dist Thu Dec 26 14:27:08 2002 +++ php-4.3.0/php.ini Sat Jan 4 21:01:55 2003 @@ -3,12 +3,18 @@ ;;;;;;;;;;; ; WARNING ; ;;;;;;;;;;; -; This is the default settings file for new PHP installations. -; By default, PHP installs itself with a configuration suitable for -; development purposes, and *NOT* for production purposes. -; For several security-oriented considerations that should be taken -; before going online with your site, please consult php.ini-recommended -; and http://php.net/manual/en/security.php. +; This is the default settings file for new PHP installations from +; PLD Linux Distribution. +; It's based mainly on php.ini-dist, but with some changes made with +; security in mind (see below, consult also +; http://php.net/manual/en/security.php). +; +; Please note, that in PLD installations, /etc/php4/php.ini file +; contains GLOBAL settings for all SAPIs (cgi, cli, apache...), +; and after reading this file, SAPI-specific file (/etc/php4/php-cgi.ini, +; /etc/php4/php-cli.ini, /etc/php4/php-apache.ini...) is INCLUDED +; (so you don't need to duplicate whole large file to override only +; few options). ;;;;;;;;;;;;;;;;;;; @@ -54,12 +60,70 @@ ; If you use constants in your value, and these constants belong to a ; dynamically loaded extension (either a PHP extension or a Zend extension), ; you may only use these constants *after* the line that loads the extension. -; -; All the values in the php.ini-dist file correspond to the builtin -; defaults (that is, if no php.ini is used, or if you delete these lines, -; the builtin defaults will be identical). +; Below is the list of settings changed from default as specified in +; php.ini-recommended. These settings make PHP more secure and encourage +; cleaner coding. +; The price is that with these settings, PHP may be incompatible with some old +; or bad-written applications, and sometimes, more difficult to develop with. +; Using this settings is warmly recommended for production sites. As all of +; the changes from the standard settings are thoroughly documented, you can +; go over each one, and decide whether you want to use it or not. +; +; - register_globals = Off [Security, Performance] +; Global variables are no longer registered for input data (POST, GET, cookies, +; environment and other server variables). Instead of using $foo, you must use +; you can use $_REQUEST["foo"] (includes any variable that arrives through the +; request, namely, POST, GET and cookie variables), or use one of the specific +; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending +; on where the input originates. Also, you can look at the +; import_request_variables() function. +; Note that register_globals = Off is the default setting since PHP 4.2.0. +; - display_errors = Off [Security] +; With this directive set to off, errors that occur during the execution of +; scripts will no longer be displayed as a part of the script output, and thus, +; will no longer be exposed to remote users. With some errors, the error message +; content may expose information about your script, web server, or database +; server that may be exploitable for hacking. Production sites should have this +; directive set to off. +; - log_errors = On [Security] +; This directive complements the above one. Any errors that occur during the +; execution of your script will be logged (typically, to your server's error log, +; but can be configured in several ways). Along with setting display_errors to off, +; this setup gives you the ability to fully understand what may have gone wrong, +; without exposing any sensitive information to remote users. +; - error_reporting = E_ALL [Code Cleanliness, Security(?)] +; By default, PHP surpresses errors of type E_NOTICE. These error messages +; are emitted for non-critical errors, but that could be a symptom of a bigger +; problem. Most notably, this will cause error messages about the use +; of uninitialized variables to be displayed. + +; For completeness, below is list of the rest of changes recommended for +; performance, but NOT applied in default php.ini in PLD (since they are +; not needed for security or may cause problems with some applications +; more likely than above). + +; - output_buffering = 4096 [Performance] +; Set a 4KB output buffer. Enabling output buffering typically results in less +; writes, and sometimes less packets sent on the wire, which can often lead to +; better performance. The gain this directive actually yields greatly depends +; on which Web server you're working with, and what kind of scripts you're using. +; - register_argc_argv = Off [Performance] +; Disables registration of the somewhat redundant $argv and $argc global +; variables. +; - magic_quotes_gpc = Off [Performance] +; Input data is no longer escaped with slashes so that it can be sent into +; SQL databases without further manipulation. Instead, you should use the +; function addslashes() on each input element you wish to send to a database. +; - variables_order = "GPCS" [Performance] +; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access +; environment variables, you can use getenv() instead. +; - allow_call_time_pass_reference = Off [Code cleanliness] +; It's not possible to decide to force a variable to be passed by reference +; when calling a function. The PHP 4 style to do this is by making the +; function require the relevant argument by reference. + ;;;;;;;;;;;;;;;;;;;; ; Language Options ; ;;;;;;;;;;;;;;;;;;;; @@ -79,7 +143,7 @@ asp_tags = Off ; The number of significant digits displayed in floating point numbers. -precision = 12 +precision = 14 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers) y2k_compliance = On @@ -255,16 +319,16 @@ ; ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; -; - Show all errors except for notices +; - Show all errors ; -error_reporting = E_ALL & ~E_NOTICE +error_reporting = E_ALL ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. -display_errors = On +display_errors = Off ; Even when display_errors is on, errors that occur during PHP's startup ; sequence are not displayed. It's strongly recommended to keep @@ -274,7 +338,7 @@ ; Log errors into a log file (server-specific log, stderr, or error_log (below)) ; As stated above, you're strongly advised to use error logging in place of ; error displaying on production web sites. -log_errors = Off +log_errors = On ; Set maximum length of log_errors. In error_log information about the source is ; added. The default is 1024 and 0 allows to not apply any maximum length at all. @@ -420,7 +484,7 @@ user_dir = ; Directory in which the loadable extensions (modules) reside. -extension_dir = "./" +extension_dir = "/usr/lib/php4" ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically @@ -587,10 +651,10 @@ ;sendmail_path = [Java] -;java.class.path = .\php_java.jar -;java.home = c:\jdk -;java.library = c:\jdk\jre\bin\hotspot\jvm.dll -;java.library.path = .\ +java.class.path = /usr/lib/php4/php_java.jar +;java.home = /usr/lib/java +;java.library = /usr/lib/java/jre/lib/i386/libjava.so +java.library.path = /usr/lib/php4 [SQL] sql.safe_mode = Off @@ -685,6 +749,7 @@ pgsql.max_links = -1 ; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. pgsql.ignore_notice = 0 ; Log PostgreSQL backends Noitce message or not. @@ -804,7 +869,9 @@ ; You can use the script in the ext/session dir for that purpose. ; NOTE 2: See the section on garbage collection below if you choose to ; use subdirectories for session storage -;session.save_path = /tmp +; NOTE 3: you may need to override this setting for cli or cgi SAPIs, +; to allow running them as user other than http +session.save_path = /var/run/php ; Whether to use cookies. session.use_cookies = 1 --- ./php.ini~ 2005-07-14 17:34:35.000000000 +0300 +++ ./php.ini 2005-07-14 20:14:13.000000000 +0300 @@ -598,56 +598,6 @@ ; needs to go here. Specify the location of the extension with the ; extension_dir directive above. - -;Windows Extensions -;Note that MySQL and ODBC support is now built in, so no dll is needed for it. -; -;extension=php_mbstring.dll -;extension=php_bz2.dll -;extension=php_cpdf.dll -;extension=php_crack.dll -;extension=php_curl.dll -;extension=php_db.dll -;extension=php_dba.dll -;extension=php_dbase.dll -;extension=php_dbx.dll -;extension=php_domxml.dll -;extension=php_exif.dll -;extension=php_fdf.dll -;extension=php_filepro.dll -;extension=php_gd2.dll -;extension=php_gettext.dll -;extension=php_hyperwave.dll -;extension=php_iconv.dll -;extension=php_ifx.dll -;extension=php_iisfunc.dll -;extension=php_imap.dll -;extension=php_interbase.dll -;extension=php_java.dll -;extension=php_ldap.dll -;extension=php_mcrypt.dll -;extension=php_mhash.dll -;extension=php_mime_magic.dll -;extension=php_ming.dll -;extension=php_mssql.dll -;extension=php_msql.dll -;extension=php_oci8.dll -;extension=php_openssl.dll -;extension=php_oracle.dll -;extension=php_pdf.dll -;extension=php_pgsql.dll -;extension=php_printer.dll -;extension=php_shmop.dll -;extension=php_snmp.dll -;extension=php_sockets.dll -;extension=php_sybase_ct.dll -;extension=php_w32api.dll -;extension=php_xmlrpc.dll -;extension=php_xslt.dll -;extension=php_yaz.dll -;extension=php_zip.dll - - ;;;;;;;;;;;;;;;;;;; ; Module Settings ; ;;;;;;;;;;;;;;;;;;; --- ./php.ini.old 2003-07-20 03:14:22.000000000 -0700 +++ ./php.ini 2003-07-20 03:14:51.000000000 -0700 @@ -488,7 +488,9 @@ ;;;;;;;;;;;;;;;;;; ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. -allow_url_fopen = On +; allow_url_fopen = On +; Closed for security - +allow_url_fopen = Off ; Define the anonymous ftp password (your email address) ;from="john@doe.com" --- php-4.4.8/php.ini-dist~ 2008-07-02 18:50:01.000000000 +0300 +++ php-4.4.8/php.ini-dist 2008-07-02 18:56:09.636680270 +0300 @@ -482,7 +482,7 @@ ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root ; if you are running php as a CGI under any web server (other than IIS) ; see documentation for security issues. The alternate is to use the -; cgi.force_redirect configuration below +; cgi.force_redirect elsewhere doc_root = ; The directory under which PHP opens the script using /~username used only @@ -497,48 +497,6 @@ ; disabled on them. enable_dl = On -; cgi.force_redirect is necessary to provide security running PHP as a CGI under -; most web servers. Left undefined, PHP turns this on by default. You can -; turn it off here AT YOUR OWN RISK -; **You CAN safely turn this off for IIS, in fact, you MUST.** -; cgi.force_redirect = 1 - -; if cgi.nph is enabled it will force cgi to always sent Status: 200 with -; every request. -; cgi.nph = 1 - -; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape -; (iPlanet) web servers, you MAY need to set an environment variable name that PHP -; will look for to know it is OK to continue execution. Setting this variable MAY -; cause security issues, KNOW WHAT YOU ARE DOING FIRST. -; cgi.redirect_status_env = ; - -; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's -; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok -; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting -; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting -; of zero causes PHP to behave as before. Default is zero. You should fix your scripts -; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. -; cgi.fix_pathinfo=0 - -; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate -; security tokens of the calling client. This allows IIS to define the -; security context that the request runs under. mod_fastcgi under Apache -; does not currently support this feature (03/17/2002) -; Set to 1 if running under IIS. Default is zero. -; fastcgi.impersonate = 1; - -; Disable logging through FastCGI connection -; fastcgi.log = 0 - -; cgi.rfc2616_headers configuration option tells PHP what type of headers to -; use when sending HTTP response code. If it's set 0 PHP sends Status: header that -; is supported by Apache. When this option is set to 1 PHP will send -; RFC2616 compliant header. -; Default is zero. -;cgi.rfc2616_headers = 0 - - ;;;;;;;;;;;;;;;; ; File Uploads ; ;;;;;;;;;;;;;;;; @@ -553,7 +511,6 @@ ; Maximum allowed size for uploaded files. upload_max_filesize = 2M - ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;;