Hardening/PHP

From Segfault
Jump to: navigation, search

php.ini

Some basic modifications on php.ini to harden our PHP installation. Use with care; different applications might need different settings.

Note:

Suhosin

Some PHP distributions are patched with Suhosin. The Suhosin-Extension provides an advanced protection module for php5, that can be configured via /etc/php5/conf.d/suhosin.ini:

extension=suhosin.so

; Note: when suhosin.simulation is activated, transparent session encryption is still active.
;suhosin.simulation = off
;suhosin.session.encrypt = off

; Protect against filesystem traversals via ../../
suhosin.executor.include.max_traversal = 4

; May be needed for http://zenphoto.org/
; PHP Fatal error:  SUHOSIN - Use of eval is forbidden by configuration 
; in ../zenphoto/zp-core/functions-basic.php(107) : eval()'d code on line 107
;
; Disable eval()
suhosin.executor.disable_eval = on

; May be needed for http://zenphoto.org/
; PHP Fatal error:  SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration
; in ../zenphoto/zp-core/lib-kses.php(87) : regexp code on line 87
;
; Disable the /e modifier in preg_replace()
suhosin.executor.disable_emodifier = on
 
; May be needed for wgResourceLoaderMaxQueryLength (Mediawiki)
suhosin.get.max_value_length = 1024

There are many other options, most of them could be left at their default value. YMMV.

Links