From: "Adam Voigt"
On Mon, 2004-06-28 at 18:07, Jason Aeschilman wrote:
Why is PHP insecure by default on FC1? Is it because it's not for production use? It uses a php.ini that is only suited for development,
not
production use. I ended up grabbing the "php.ini-recommended" file from
the
official release of PHP-4.3.6 and made a couple Fedora-related changes
to it
(diff helped out here).
J.A.K.E. [ jake1138 AT yahoo DOT com ]
lol, I must say you did a very good job of being as vague as possible and not illustrating your point in any way.
You're right, but I did get the discussion started. All one needs to do is read the comments in php.ini. When the comments say, "don't do this in a production environment" or "don't use this file in a production environment", then that in of itself makes the point. If you look at php.ini-recommended, you'll learn even more. Part of my reasoning for even mentioning this here is to make people aware. Here is the "diff php.ini php.ini-recommended". For those who haven't used diff before, the lines preceded by "<" are from php.ini, the lines preceded by ">" are from php.ini-recommended.
< output_buffering = Off
output_buffering = 4096
< allow_call_time_pass_reference = On
allow_call_time_pass_reference = Off
< error_reporting = E_ALL & ~E_NOTICE
error_reporting = E_ALL
< display_errors = On
display_errors = Off
< log_errors = Off
log_errors = On
< variables_order = "EGPCS"
variables_order = "GPCS"
< register_argc_argv = On
register_argc_argv = Off
< magic_quotes_gpc = On
magic_quotes_gpc = Off
< extension_dir = /usr/lib/php4
extension_dir = "./"
< sendmail_path = /usr/sbin/sendmail -t -i
;sendmail_path =
< dbx.colnames_case = "unchanged"
dbx.colnames_case = "lowercase"
< session.save_path = /tmp
;session.save_path = /tmp
< session.gc_divisor = 100
session.gc_divisor = 1000
< session.bug_compat_42 = 1
session.bug_compat_42 = 0
< url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
To make php.ini-recommended work for Fedora, I changed this line:
extension_dir = /usr/lib/php4
-- J.A.K.E. [ jake1138 AT yahoo DOT com ]