From 4342041a08ee20814baba19b2d560d782679ee3c Mon Sep 17 00:00:00 2001 From: Jakub Bogusz Date: Sat, 4 Jan 2003 20:39:43 +0000 Subject: [PATCH] - added cli SAPI (as subpackage) - updated ini files, applied some changes recommended due to security issues, added notes about different php-${SAPI}.ini files behaviour Changed files: php-apache.ini -> 1.3 php-cgi.ini -> 1.3 php-cli.ini -> 1.1 php-ini.patch -> 1.5 php.spec -> 1.233 --- php-apache.ini | 9 ++- php-cgi.ini | 10 ++- php-cli.ini | 14 +++++ php-ini.patch | 167 ++++++++++++++++++++++++++++++++++++++++++++++--- php.spec | 68 +++++++++++++++----- 5 files changed, 241 insertions(+), 27 deletions(-) create mode 100644 php-cli.ini diff --git a/php-apache.ini b/php-apache.ini index cb515ec..3b335f6 100644 --- a/php-apache.ini +++ b/php-apache.ini @@ -1,4 +1,11 @@ -; php-apache.ini - configuration osed only for apache SAPI +; php-apache.ini - configuration used only for apache SAPI +; +; Please note that, unlikely in original php distributions, this file +; is read AFTER (not instead of) reading global /etc/php/php.ini. +; +; It allows you to control global settings for all SAPIs in one place +; and override some settings in SAPI-specific files without need of +; copying whole large php.ini. [Session] session.save_path = /var/run/php diff --git a/php-cgi.ini b/php-cgi.ini index 92f63e7..6bdc817 100644 --- a/php-cgi.ini +++ b/php-cgi.ini @@ -1,8 +1,14 @@ -; php-cgi.ini - configuration osed only for cgi SAPI +; php-cgi.ini - configuration used only for cgi SAPI +; +; Please note that, unlikely in original php distributions, this file +; is read AFTER (not instead of) reading global /etc/php/php.ini. +; +; It allows you to control global settings for all SAPIs in one place +; and override some settings in SAPI-specific files without need of +; copying whole large php.ini. [Session] session.save_path = /tmp ; argument passed to save_handler ; in the case of files, this is the ; path where data files are stored - diff --git a/php-cli.ini b/php-cli.ini new file mode 100644 index 0000000..fb68775 --- /dev/null +++ b/php-cli.ini @@ -0,0 +1,14 @@ +; php-cli.ini - configuration used only for cli SAPI +; +; Please note that, unlikely in original php distributions, this file +; is read AFTER (not instead of) reading global /etc/php/php.ini. +; +; It allows you to control global settings for all SAPIs in one place +; and override some settings in SAPI-specific files without need of +; copying whole large php.ini. + +[Session] +session.save_path = /tmp ; argument passed to save_handler + ; in the case of files, this is the + ; path where data files are stored + diff --git a/php-ini.patch b/php-ini.patch index 6fa493b..0a7dc75 100644 --- a/php-ini.patch +++ b/php-ini.patch @@ -1,7 +1,106 @@ -diff -durN php-4.3.0.orig/php.ini php-4.3.0/php.ini ---- php-4.3.0.orig/php.ini Wed Aug 7 18:24:45 2002 -+++ php-4.3.0/php.ini Wed Aug 7 18:30:27 2002 -@@ -74,7 +74,7 @@ +--- php-4.3.0/php.ini-dist Thu Dec 26 14:27:08 2002 ++++ php-4.3.0/php.ini Sat Jan 4 21:01:55 2003 +@@ -3,12 +3,18 @@ + ;;;;;;;;;;; + ; WARNING ; + ;;;;;;;;;;; +-; This is the default settings file for new PHP installations. +-; By default, PHP installs itself with a configuration suitable for +-; development purposes, and *NOT* for production purposes. +-; For several security-oriented considerations that should be taken +-; before going online with your site, please consult php.ini-recommended +-; and http://php.net/manual/en/security.php. ++; This is the default settings file for new PHP installations from ++; PLD Linux Distribution. ++; It's based mainly on php.ini-dist, but with some changes made with ++; security in mind (see below, consult also ++; http://php.net/manual/en/security.php). ++; ++; Please note, that in PLD installations, /etc/php/php.ini file ++; contains GLOBAL settings for all SAPIs (cgi, cli, apache...), ++; and after reading this file, SAPI-specific file (/etc/php/php-cgi.ini, ++; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED ++; (so you don't need to duplicate whole large file to override only ++; few options). + + + ;;;;;;;;;;;;;;;;;;; +@@ -54,12 +60,70 @@ + ; If you use constants in your value, and these constants belong to a + ; dynamically loaded extension (either a PHP extension or a Zend extension), + ; you may only use these constants *after* the line that loads the extension. +-; +-; All the values in the php.ini-dist file correspond to the builtin +-; defaults (that is, if no php.ini is used, or if you delete these lines, +-; the builtin defaults will be identical). + + ++; Below is the list of settings changed from default as specified in ++; php.ini-recommended. These settings make PHP more secure and encourage ++; cleaner coding. ++; The price is that with these settings, PHP may be incompatible with some old ++; or bad-written applications, and sometimes, more difficult to develop with. ++; Using this settings is warmly recommended for production sites. As all of ++; the changes from the standard settings are thoroughly documented, you can ++; go over each one, and decide whether you want to use it or not. ++; ++; - register_globals = Off [Security, Performance] ++; Global variables are no longer registered for input data (POST, GET, cookies, ++; environment and other server variables). Instead of using $foo, you must use ++; you can use $_REQUEST["foo"] (includes any variable that arrives through the ++; request, namely, POST, GET and cookie variables), or use one of the specific ++; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending ++; on where the input originates. Also, you can look at the ++; import_request_variables() function. ++; Note that register_globals = Off is the default setting since PHP 4.2.0. ++; - display_errors = Off [Security] ++; With this directive set to off, errors that occur during the execution of ++; scripts will no longer be displayed as a part of the script output, and thus, ++; will no longer be exposed to remote users. With some errors, the error message ++; content may expose information about your script, web server, or database ++; server that may be exploitable for hacking. Production sites should have this ++; directive set to off. ++; - log_errors = On [Security] ++; This directive complements the above one. Any errors that occur during the ++; execution of your script will be logged (typically, to your server's error log, ++; but can be configured in several ways). Along with setting display_errors to off, ++; this setup gives you the ability to fully understand what may have gone wrong, ++; without exposing any sensitive information to remote users. ++; - error_reporting = E_ALL [Code Cleanliness, Security(?)] ++; By default, PHP surpresses errors of type E_NOTICE. These error messages ++; are emitted for non-critical errors, but that could be a symptom of a bigger ++; problem. Most notably, this will cause error messages about the use ++; of uninitialized variables to be displayed. ++ ++; For completeness, below is list of the rest of changes recommended for ++; performance, but NOT applied in default php.ini in PLD (since they are ++; not needed for security or may cause problems with some applications ++; more likely than above). ++ ++; - output_buffering = 4096 [Performance] ++; Set a 4KB output buffer. Enabling output buffering typically results in less ++; writes, and sometimes less packets sent on the wire, which can often lead to ++; better performance. The gain this directive actually yields greatly depends ++; on which Web server you're working with, and what kind of scripts you're using. ++; - register_argc_argv = Off [Performance] ++; Disables registration of the somewhat redundant $argv and $argc global ++; variables. ++; - magic_quotes_gpc = Off [Performance] ++; Input data is no longer escaped with slashes so that it can be sent into ++; SQL databases without further manipulation. Instead, you should use the ++; function addslashes() on each input element you wish to send to a database. ++; - variables_order = "GPCS" [Performance] ++; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To access ++; environment variables, you can use getenv() instead. ++; - allow_call_time_pass_reference = Off [Code cleanliness] ++; It's not possible to decide to force a variable to be passed by reference ++; when calling a function. The PHP 4 style to do this is by making the ++; function require the relevant argument by reference. ++ + ;;;;;;;;;;;;;;;;;;;; + ; Language Options ; + ;;;;;;;;;;;;;;;;;;;; +@@ -79,7 +143,7 @@ asp_tags = Off ; The number of significant digits displayed in floating point numbers. @@ -9,8 +108,37 @@ diff -durN php-4.3.0.orig/php.ini php-4.3.0/php.ini +precision = 14 ; Enforce year 2000 compliance (will cause problems with non-compliant browsers) - y2k_compliance = Off -@@ -371,7 +371,7 @@ + y2k_compliance = On +@@ -255,16 +319,16 @@ + ; + ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR + ; +-; - Show all errors except for notices ++; - Show all errors + ; +-error_reporting = E_ALL & ~E_NOTICE ++error_reporting = E_ALL + + ; Print out errors (as a part of the output). For production web sites, + ; you're strongly encouraged to turn this feature off, and use error logging + ; instead (see below). Keeping display_errors enabled on a production web site + ; may reveal security information to end users, such as file paths on your Web + ; server, your database schema or other information. +-display_errors = On ++display_errors = Off + + ; Even when display_errors is on, errors that occur during PHP's startup + ; sequence are not displayed. It's strongly recommended to keep +@@ -274,7 +338,7 @@ + ; Log errors into a log file (server-specific log, stderr, or error_log (below)) + ; As stated above, you're strongly advised to use error logging in place of + ; error displaying on production web sites. +-log_errors = Off ++log_errors = On + + ; Set maximum length of log_errors. In error_log information about the source is + ; added. The default is 1024 and 0 allows to not apply any maximum length at all. +@@ -420,7 +484,7 @@ user_dir = ; Directory in which the loadable extensions (modules) reside. @@ -19,11 +147,36 @@ diff -durN php-4.3.0.orig/php.ini php-4.3.0/php.ini ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically -@@ -692,7 +692,7 @@ +@@ -587,10 +651,10 @@ + ;sendmail_path = + + [Java] +-;java.class.path = .\php_java.jar +-;java.home = c:\jdk +-;java.library = c:\jdk\jre\bin\hotspot\jvm.dll +-;java.library.path = .\ ++java.class.path = /usr/lib/php/php_java.jar ++;java.home = /usr/lib/java ++;java.library = /usr/lib/java/jre/lib/i386/libjava.so ++java.library.path = /usr/lib/php + + [SQL] + sql.safe_mode = Off +@@ -685,6 +749,7 @@ + pgsql.max_links = -1 + + ; Ignore PostgreSQL backends Notice message or not. ++; Notice message logging require a little overheads. + pgsql.ignore_notice = 0 + + ; Log PostgreSQL backends Noitce message or not. +@@ -804,7 +869,9 @@ ; You can use the script in the ext/session dir for that purpose. ; NOTE 2: See the section on garbage collection below if you choose to ; use subdirectories for session storage -session.save_path = /tmp ++; NOTE 3: you may need to override this setting for cli or cgi SAPIs, ++; to allow running them as user other than http +session.save_path = /var/run/php ; Whether to use cookies. diff --git a/php.spec b/php.spec index 773945e..d2bc7a4 100644 --- a/php.spec +++ b/php.spec @@ -3,14 +3,7 @@ # - msession module causes SEGV during phpinfo() # (only in Ra? doesn't happen in my environment) # - pear - isn't built now, what is still needed??? -# - fastcgi option in cgi SAPI? -# - add cli SAPI? -# maybe /usr/bin/php.{cli,cgi,fcgi}, but which one should be /usr/bin/php? -# - add notes about different behaviour (global file + included SAPI files) -# to php*.ini -# - look at security notes in php.ini-recommended (ugh), update ini patch; -# set java.{class,library}.path appropriately -# - check/update "experimental" in descriptions +# - fastcgi option in cgi SAPI? or separate fcgi SAPI? # # Automatic pear requirements finding: %include /usr/lib/rpm/macros.php @@ -80,6 +73,7 @@ Source4: %{name}-module-install Source5: %{name}-mod_%{name}.conf Source6: %{name}-cgi.ini Source7: %{name}-apache.ini +Source8: %{name}-cli.ini Patch0: %{name}-shared.patch Patch1: %{name}-pldlogo.patch Patch2: %{name}-xml-expat-fix.patch @@ -262,8 +256,9 @@ PHP4 - %package cgi Summary: PHP as CGI program Summary(pl): PHP jako program CGI -Group: Libraries +Group: Development/Languages/PHP PreReq: %{name}-common = %{version} +Provides: php-program = %{version} %description cgi PHP as CGI program. @@ -271,6 +266,19 @@ PHP as CGI program. %description cgi -l pl PHP jako program CGI. +%package cli +Summary: PHP as CLI interpreter +Summary(pl): PHP jako interpreter dzia³aj±cy z linii poleceñ +Group: Development/Languages/PHP +PreReq: %{name}-common = %{version} +Provides: php-program = %{version} + +%description cli +PHP as CLI interpreter. + +%description cli -l pl +PHP jako interpreter dzia³aj±cy z linii poleceñ. + %package common Summary: Common files nneded by both apache module and CGI Summary(pl): Wspólne pliki dla modu³u apache'a i programu CGI @@ -946,8 +954,8 @@ Uwaga: to jest modu Summary: Process Control extension module for PHP Summary(pl): Modu³ Process Control dla PHP Group: Libraries -Requires(post,preun):%{name}-cgi = %{version} -Requires: %{name}-cgi = %{version} +Requires(post,preun):%{name}-program = %{version} +Requires: %{name}-program = %{version} %description pcntl This is a dynamic shared object (DSO) for Apache that will add process @@ -1388,7 +1396,7 @@ EXTENSION_DIR="%{extensionsdir}"; export EXTENSION_DIR %{__aclocal} autoconf PROG_SENDMAIL="/usr/lib/sendmail"; export PROG_SENDMAIL -for i in cgi fcgi cli apxs ; do +for i in cgi cli apxs ; do %configure \ `[ $i = cgi ] && echo --enable-discard-path` \ `[ $i != cli ] && echo --disable-cli` \ @@ -1490,8 +1498,6 @@ for i in cgi fcgi cli apxs ; do --with-zlib-dir=shared,/usr cp -f Makefile Makefile.$i -# for testing: -cp -f main/php_config.h php_config.h.$i done # for now session_mm doesn't work with shared session module... @@ -1508,10 +1514,19 @@ perl -pi -e "s|^libdir=.*|libdir='%{_libdir}'|" libphp_common.la perl -pi -e "s|^libdir=.*|libdir='%{_libdir}/apache'|" libphp4.la perl -pi -e "s|^(relink_command=.* -rpath )[^ ]*/libs |\1%{_libdir}/apache |" libphp4.la +# notes: +# -DENABLE_CHROOT_FUNC=1 (cgi,fcgi) is used in ext/standard/dir.c (libphp_common) +# -DPHP_WRITE_STDOUT is used also for cli, but not set by its config.m4 + %{__make} sapi/cgi/php -f Makefile.cgi \ - CFLAGS_CLEAN="%{rpmcflags} -DDISCARD_PATH=1" + CFLAGS_CLEAN="%{rpmcflags} -DDISCARD_PATH=1 -DENABLE_PATHINFO_CHECK=1 -DFORCE_CGI_REDIRECT=0 -DPHP_WRITE_STDOUT=1" + %{__make} sapi/cli/php -f Makefile.cli +# for fcgi: -DDISCARD_PATH=0 -DENABLE_PATHINFO_CHECK=1 -DFORCE_CGI_REDIRECT=0 +# -DHAVE_FILENO_PROTO=1 -DHAVE_FPOS=1 -DHAVE_LIBNSL=1(die) -DHAVE_SYS_PARAM_H=1 +# -DPHP_FASTCGI=1 -DPHP_FCGI_STATIC=1 -DPHP_WRITE_STDOUT=1 + %install rm -rf $RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT{%{_libdir}/{php,apache},%{_sysconfdir}/{apache,cgi}} \ @@ -1522,12 +1537,15 @@ install -d $RPM_BUILD_ROOT{%{_libdir}/{php,apache},%{_sysconfdir}/{apache,cgi}} %{__make} install install-build install-programs install-headers \ INSTALL_ROOT=$RPM_BUILD_ROOT \ - INSTALL_IT="\$(LIBTOOL) --mode=install install libphp_common.la $RPM_BUILD_ROOT%{_libdir} ; \$(LIBTOOL) --mode=install install libphp4.la $RPM_BUILD_ROOT%{_libdir}/apache ; \$(LIBTOOL) --mode=install install sapi/cgi/php $RPM_BUILD_ROOT%{_bindir}" + INSTALL_IT="\$(LIBTOOL) --mode=install install libphp_common.la $RPM_BUILD_ROOT%{_libdir} ; \$(LIBTOOL) --mode=install install libphp4.la $RPM_BUILD_ROOT%{_libdir}/apache ; \$(LIBTOOL) --mode=install install sapi/cgi/php $RPM_BUILD_ROOT%{_bindir}/php.cgi ; \$(LIBTOOL) --mode=install install sapi/cli/php $RPM_BUILD_ROOT%{_bindir}/php.cli" + +# compatibility (/usr/bin/php used to be CGI SAPI) +ln -sf php.cgi $RPM_BUILD_ROOT%{_bindir}/php %{?_with_java:install ext/java/php_java.jar $RPM_BUILD_ROOT%{extensionsdir}} install php.ini $RPM_BUILD_ROOT%{_sysconfdir}/php.ini -install %{SOURCE6} %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir} +install %{SOURCE6} %{SOURCE7} %{SOURCE8} $RPM_BUILD_ROOT%{_sysconfdir} install %{SOURCE2} php.gif $RPM_BUILD_ROOT%{httpdir}/icons install %{SOURCE4} $RPM_BUILD_ROOT%{_sbindir} install %{SOURCE5} $RPM_BUILD_ROOT/etc/httpd/httpd.conf/70_mod_php.conf @@ -1871,11 +1889,21 @@ if [ "$1" = "0" ]; then fi %post pcntl +if [ -f %{_sysconfdir}/php-cgi.ini ]; then %{_sbindir}/php-module-install install pcntl %{_sysconfdir}/php-cgi.ini +fi +if [ -f %{_sysconfdir}/php-cli.ini ]; then +%{_sbindir}/php-module-install install pcntl %{_sysconfdir}/php-cli.ini +fi %preun pcntl if [ "$1" = "0" ]; then + if [ -f %{_sysconfdir}/php-cgi.ini ]; then %{_sbindir}/php-module-install remove pcntl %{_sysconfdir}/php-cgi.ini + fi + if [ -f %{_sysconfdir}/php-cli.ini ]; then + %{_sbindir}/php-module-install remove pcntl %{_sysconfdir}/php-cli.ini + fi fi %post pcre @@ -2056,9 +2084,15 @@ fi %files cgi %defattr(644,root,root,755) +%attr(755,root,root) %{_bindir}/php.cgi %attr(755,root,root) %{_bindir}/php %config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/php-cgi.ini +%files cli +%defattr(644,root,root,755) +%attr(755,root,root) %{_bindir}/php.cli +%config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/php-cli.ini + %files common %defattr(644,root,root,755) %doc php.ini-* -- 2.44.0