PHP insecure by default -- revised
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Mon Jun 28 23:02:44 UTC 2004
Am Di, den 29.06.2004 schrieb Jason Aeschilman um 0:51:
> < output_buffering = Off
> > output_buffering = 4096
>
> < allow_call_time_pass_reference = On
> > allow_call_time_pass_reference = Off
>
> < error_reporting = E_ALL & ~E_NOTICE
> > error_reporting = E_ALL
>
> < display_errors = On
> > display_errors = Off
>
> < log_errors = Off
> > log_errors = On
>
> < variables_order = "EGPCS"
> > variables_order = "GPCS"
>
> < register_argc_argv = On
> > register_argc_argv = Off
>
> < magic_quotes_gpc = On
> > magic_quotes_gpc = Off
>
> < extension_dir = /usr/lib/php4
> > extension_dir = "./"
>
> < sendmail_path = /usr/sbin/sendmail -t -i
> > ;sendmail_path =
>
> < dbx.colnames_case = "unchanged"
> > dbx.colnames_case = "lowercase"
>
> < session.save_path = /tmp
> > ;session.save_path = /tmp
>
> < session.gc_divisor = 100
> > session.gc_divisor = 1000
>
> < session.bug_compat_42 = 1
> > session.bug_compat_42 = 0
>
> < url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
> > url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
>
> To make php.ini-recommended work for Fedora, I changed these lines:
>
> extension_dir = /usr/lib/php4
> sendmail_path = /usr/sbin/sendmail -t -i
> J.A.K.E.
Besides "register_argc_argv" and "magic_quotes_gpc", which settings do
you feel make PHP on Fedora insecure? About both named settings you
could discuss, I do not take them as that bad default.
You opened a can with your topic/thread and I do not see it really
filled.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435
Serendipity 00:59:32 up 2 days, 2:46, load average: 0.27, 0.41, 0.36
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040629/d58c8053/attachment-0001.sig>
More information about the fedora-list
mailing list