- up to 7.4.1; fixes (CVE-2019-11046, CVE-2019-11045, CVE-2019-11049, CVE-2019-11050...

[packages/php.git] / php-ini.patch

--- php-7.4.0RC2/php.ini~	2019-09-23 10:43:53.000000000 +0300
+++ php-7.4.0RC2/php.ini	2019-09-23 11:52:45.049464720 +0300
@@ -82,6 +82,20 @@
 ; much more verbose when it comes to errors. We recommending using the
 ; development version only in development environments as errors shown to
 ; application users can inadvertently leak otherwise secure information.
+;
+; This is the default settings file for new PHP installations from
+; PLD Linux Distribution.
+;
+; It's based mainly on php.ini-production, but with some changes made with
+; security in mind (see below, consult also http://php.net/manual/en/security.php).
+;
+; Please note, that in PLD installations /etc/php/php.ini file
+; contains global settings for all SAPIs (cgi, cli, apache...),
+; and after reading this file, SAPI-specific file (/etc/php/php-cgi-fcgi.ini,
+; /etc/php/php-cli.ini, /etc/php/php-apache.ini...) is INCLUDED
+; (so you don't have to duplicate whole large file to override only
+; few options)
+
 
 ;;;;;;;;;;;;;;;;;;;
 ; Quick Reference ;
@@ -167,10 +181,8 @@
 ; php.ini Options  ;
 ;;;;;;;;;;;;;;;;;;;;
 ; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
-;user_ini.filename = ".user.ini"
-
 ; To disable this feature set this option to an empty value
-;user_ini.filename =
+user_ini.filename =
 
 ; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
 ;user_ini.cache_ttl = 300
@@ -225,7 +237,7 @@
 ; Development Value: Off
 ; Production Value: Off
 ; http://php.net/short-open-tag
-short_open_tag = Off
+short_open_tag = On
 
 ; Allow ASP-style <% %> tags.
 ; http://php.net/asp-tags
@@ -360,7 +372,7 @@
 ; threat in any way, but it makes it possible to determine whether you use PHP
 ; on your server or not.
 ; http://php.net/expose-php
-expose_php = On
+expose_php = Off
 
 ;;;;;;;;;;;;;;;;;;;
 ; Resource Limits ;
@@ -744,9 +756,7 @@
 
 ; Directory in which the loadable extensions (modules) reside.
 ; http://php.net/extension-dir
-;extension_dir = "./"
-; On windows:
-;extension_dir = "ext"
+;extension_dir = "/usr/lib/php"
 
 ; Directory where the temporary files should be placed.
 ; Defaults to the system default (see sys_get_temp_dir)
@@ -758,64 +768,6 @@
 ; http://php.net/enable-dl
 enable_dl = Off
 
-; cgi.force_redirect is necessary to provide security running PHP as a CGI under
-; most web servers.  Left undefined, PHP turns this on by default.  You can
-; turn it off here AT YOUR OWN RISK
-; **You CAN safely turn this off for IIS, in fact, you MUST.**
-; http://php.net/cgi.force-redirect
-;cgi.force_redirect = 1
-
-; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
-; every request. PHP's default behavior is to disable this feature.
-;cgi.nph = 1
-
-; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
-; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
-; will look for to know it is OK to continue execution.  Setting this variable MAY
-; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
-; http://php.net/cgi.redirect-status-env
-;cgi.redirect_status_env =
-
-; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
-; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
-; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
-; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
-; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
-; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
-; http://php.net/cgi.fix-pathinfo
-;cgi.fix_pathinfo=1
-
-; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
-; of the web tree and people will not be able to circumvent .htaccess security.
-;cgi.discard_path=1
-
-; FastCGI under IIS supports the ability to impersonate
-; security tokens of the calling client.  This allows IIS to define the
-; security context that the request runs under.  mod_fastcgi under Apache
-; does not currently support this feature (03/17/2002)
-; Set to 1 if running under IIS.  Default is zero.
-; http://php.net/fastcgi.impersonate
-;fastcgi.impersonate = 1
-
-; Disable logging through FastCGI connection. PHP's default behavior is to enable
-; this feature.
-;fastcgi.logging = 0
-
-; cgi.rfc2616_headers configuration option tells PHP what type of headers to
-; use when sending HTTP response code. If set to 0, PHP sends Status: header that
-; is supported by Apache. When this option is set to 1, PHP will send
-; RFC2616 compliant header.
-; Default is zero.
-; http://php.net/cgi.rfc2616-headers
-;cgi.rfc2616_headers = 0
-
-; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
-; (shebang) at the top of the running script. This line might be needed if the
-; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
-; mode skips this line and ignores its content if this directive is turned on.
-; http://php.net/cgi.check-shebang-line
-;cgi.check_shebang_line=1
-
 ;;;;;;;;;;;;;;;;
 ; File Uploads ;
 ;;;;;;;;;;;;;;;;
@@ -849,48 +849,8 @@
 ; deprecated in a future PHP major version. So, when it is possible, please
 ; move to the new ('extension=<ext>) syntax.
 ;
-; Notes for Windows environments :
-;
-; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+)
-;   extension folders as well as the separate PECL DLL download (PHP 5+).
-;   Be sure to appropriately set the extension_dir directive.
-;
-;extension=bz2
-;extension=curl
-;extension=ffi
-;extension=fileinfo
-;extension=gd2
-;extension=gettext
-;extension=gmp
-;extension=intl
-;extension=imap
-;extension=ldap
-;extension=mbstring
-;extension=exif      ; Must be after mbstring as it depends on it
-;extension=mysqli
-;extension=oci8_12c  ; Use with Oracle Database 12c Instant Client
-;extension=odbc
-;extension=openssl
-;extension=pdo_firebird
-;extension=pdo_mysql
-;extension=pdo_oci
-;extension=pdo_odbc
-;extension=pdo_pgsql
-;extension=pdo_sqlite
-;extension=pgsql
-;extension=shmop
-
-; The MIBS data available in the PHP distribution must be installed.
-; See http://www.php.net/manual/en/snmp.installation.php
-;extension=snmp
-
-;extension=soap
-;extension=sockets
-;extension=sodium
-;extension=sqlite3
-;extension=tidy
-;extension=xmlrpc
-;extension=xsl
+; Ideally in PLD Linux you should install appropriate php74-<extension> or
+; php74-pecl-<extension> package.
 
 ;;;;;;;;;;;;;;;;;;;
 ; Module Settings ;
@@ -954,8 +867,9 @@
 
 [Date]
 ; Defines the default timezone used by the date functions
-; http://php.net/date.timezone
-;date.timezone =
+; http://php.net/date.timezone.
+;
+; NOTE: In PLD Linux the /etc/php/conf.d/timezone.ini is used to set timezone
 
 ; http://php.net/date.default-latitude
 ;date.default_latitude = 31.7667
@@ -970,19 +884,19 @@
 ; Use of this INI entry is deprecated, use global input_encoding instead.
 ; If empty, default_charset or input_encoding or iconv.input_encoding is used.
 ; The precedence is: default_charset < input_encoding < iconv.input_encoding
-;iconv.input_encoding =
+iconv.input_encoding = UTF-8
 
 ; Use of this INI entry is deprecated, use global internal_encoding instead.
 ; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
 ; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
-;iconv.internal_encoding =
+iconv.internal_encoding = UTF-8
 
 ; Use of this INI entry is deprecated, use global output_encoding instead.
 ; If empty, default_charset or output_encoding or iconv.output_encoding is used.
 ; The precedence is: default_charset < output_encoding < iconv.output_encoding
 ; To use an output encoding conversion, iconv's output handler must be set
 ; otherwise output encoding conversion cannot be performed.
-;iconv.output_encoding =
+iconv.output_encoding = UTF-8
 
 [intl]
 ;intl.default_locale =
@@ -1360,7 +1274,7 @@
 
 [browscap]
 ; http://php.net/browscap
-;browscap = extra/browscap.ini
+;browscap = /usr/share/browscap/php_browscap.ini
 
 [Session]
 ; Handler used to store/retrieve data.
@@ -1747,7 +1661,7 @@
 
 ; Sets the directory name where SOAP extension will put cache files.
 ; http://php.net/soap.wsdl-cache-dir
-soap.wsdl_cache_dir="/tmp"
+soap.wsdl_cache_dir="/var/cache/php"
 
 ; (time to live) Sets the number of second while cached file will be used
 ; instead of original one.
@@ -1670,155 +1670,6 @@
 [dba]
 ;dba.default_handler=
 
-[opcache]
-; Determines if Zend OPCache is enabled
-;opcache.enable=1
-
-; Determines if Zend OPCache is enabled for the CLI version of PHP
-;opcache.enable_cli=0
-
-; The OPcache shared memory storage size.
-;opcache.memory_consumption=128
-
-; The amount of memory for interned strings in Mbytes.
-;opcache.interned_strings_buffer=8
-
-; The maximum number of keys (scripts) in the OPcache hash table.
-; Only numbers between 200 and 1000000 are allowed.
-;opcache.max_accelerated_files=10000
-
-; The maximum percentage of "wasted" memory until a restart is scheduled.
-;opcache.max_wasted_percentage=5
-
-; When this directive is enabled, the OPcache appends the current working
-; directory to the script key, thus eliminating possible collisions between
-; files with the same name (basename). Disabling the directive improves
-; performance, but may break existing applications.
-;opcache.use_cwd=1
-
-; When disabled, you must reset the OPcache manually or restart the
-; webserver for changes to the filesystem to take effect.
-;opcache.validate_timestamps=1
-
-; How often (in seconds) to check file timestamps for changes to the shared
-; memory storage allocation. ("1" means validate once per second, but only
-; once per request. "0" means always validate)
-;opcache.revalidate_freq=2
-
-; Enables or disables file search in include_path optimization
-;opcache.revalidate_path=0
-
-; If disabled, all PHPDoc comments are dropped from the code to reduce the
-; size of the optimized code.
-;opcache.save_comments=1
-
-; Allow file existence override (file_exists, etc.) performance feature.
-;opcache.enable_file_override=0
-
-; A bitmask, where each bit enables or disables the appropriate OPcache
-; passes
-;opcache.optimization_level=0x7FFFBFFF
-
-;opcache.dups_fix=0
-
-; The location of the OPcache blacklist file (wildcards allowed).
-; Each OPcache blacklist file is a text file that holds the names of files
-; that should not be accelerated. The file format is to add each filename
-; to a new line. The filename may be a full path or just a file prefix
-; (i.e., /var/www/x  blacklists all the files and directories in /var/www
-; that start with 'x'). Line starting with a ; are ignored (comments).
-;opcache.blacklist_filename=
-
-; Allows exclusion of large files from being cached. By default all files
-; are cached.
-;opcache.max_file_size=0
-
-; Check the cache checksum each N requests.
-; The default value of "0" means that the checks are disabled.
-;opcache.consistency_checks=0
-
-; How long to wait (in seconds) for a scheduled restart to begin if the cache
-; is not being accessed.
-;opcache.force_restart_timeout=180
-
-; OPcache error_log file name. Empty string assumes "stderr".
-;opcache.error_log=
-
-; All OPcache errors go to the Web server log.
-; By default, only fatal errors (level 0) or errors (level 1) are logged.
-; You can also enable warnings (level 2), info messages (level 3) or
-; debug messages (level 4).
-;opcache.log_verbosity_level=1
-
-; Preferred Shared Memory back-end. Leave empty and let the system decide.
-;opcache.preferred_memory_model=
-
-; Protect the shared memory from unexpected writing during script execution.
-; Useful for internal debugging only.
-;opcache.protect_memory=0
-
-; Allows calling OPcache API functions only from PHP scripts which path is
-; started from specified string. The default "" means no restriction
-;opcache.restrict_api=
-
-; Mapping base of shared memory segments (for Windows only). All the PHP
-; processes have to map shared memory into the same address space. This
-; directive allows to manually fix the "Unable to reattach to base address"
-; errors.
-;opcache.mmap_base=
-
-; Facilitates multiple OPcache instances per user (for Windows only). All PHP
-; processes with the same cache ID and user share an OPcache instance.
-;opcache.cache_id=
-
-; Enables and sets the second level cache directory.
-; It should improve performance when SHM memory is full, at server restart or
-; SHM reset. The default "" disables file based caching.
-;opcache.file_cache=
-
-; Enables or disables opcode caching in shared memory.
-;opcache.file_cache_only=0
-
-; Enables or disables checksum validation when script loaded from file cache.
-;opcache.file_cache_consistency_checks=1
-
-; Implies opcache.file_cache_only=1 for a certain process that failed to
-; reattach to the shared memory (for Windows only). Explicitly enabled file
-; cache is required.
-;opcache.file_cache_fallback=1
-
-; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
-; This should improve performance, but requires appropriate OS configuration.
-;opcache.huge_code_pages=1
-
-; Validate cached file permissions.
-;opcache.validate_permission=0
-
-; Prevent name collisions in chroot'ed environment.
-;opcache.validate_root=0
-
-; If specified, it produces opcode dumps for debugging different stages of
-; optimizations.
-;opcache.opt_debug_level=0
-
-; Specifies a PHP script that is going to be compiled and executed at server
-; start-up.
-; http://php.net/opcache.preload
-;opcache.preload=
-
-; Preloading code as root is not allowed for security reasons. This directive
-; facilitates to let the preloading to be run as another user.
-; http://php.net/opcache.preload_user
-;opcache.preload_user=
-
-; Prevents caching files that are less than this number of seconds old. It
-; protects from caching of incompletely updated files. In case all file updates
-; on your site are atomic, you may increase performance by setting it to "0".
-;opcache.file_update_protection=2
-
-; Absolute path used to store shared lockfiles (for *nix only).
-;opcache.lockfile_path=/tmp
-
 [curl]
 ; A default value for the CURLOPT_CAINFO option. This is required to be an
 ; absolute path.