PHP Security Tweaks

[Jeffrey Tadlock]

On Fri, May 23, 2008 at 9:08 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> On Fri, 23 May 2008, Jeffrey Tadlock wrote:
>> * Change 'allow_url_fopen' to Off.
>>
>> * Set 'expose_php' to Off.
>>
>> * Set 'display_errors' to Off
>>
>> * Set the upload_tmp_dir to a location that is only accessible by the
>> user running MediaWiki and not readable or writeable by anyone else as
>> well as being outside the web root.
>>
>> disable_functions =
>> "apache_get_modules,apache_get_version,apache_getenv,apache_note,
>>                      apache_setenv,disk_free_space,diskfreespace,dl,
>>
>> highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo,
>>
>> proc_nice,shell_exec,show_source,symlink,system,exec,fsockopen,
>>                      dl,popen"
>>
>> php_admin_value open_basedir /var/www/wiki:/location/of/upload/tmp/dir
>
> These are all fine with me.

I made most of these changes tonight on publictest2.  There were two exceptions.

I did not change the 'display_errors' as it is useful for the testing
going on.

'open_basedir' is causing issues with the user's page (i.e. clicking
the jeffreyt link at the top of the page), when it is enabled it just
goes to a blank page.  The same happens with the Infrastructure page
as well.  Everything else seemed to work well with it enabled.  I will
play with that on a vanilla install at home and see what is up with
that.

Everything else has been modified.

If something has broken and I missed it, feel free to ping me (iWolf)
on IRC.  If I am not around you can grab the original php.ini file
from my home directory under the php-sec directory.  Just copy it to
/etc/php.ini and bounce apache and you will be back to the way it was
before I made the changes.  Please let me know if you need to do that
though, so I can look at it further.

Thanks,
Jeffrey