Jump to content

Safety-relevant Php Options


n1o

Recommended Posts

Before one starts working to provide suitable php.ini files here a short overview of the most important safety options of PHP:

 

allow_url_fopen (recommended: off) steers whether file accesses may refer also to external URLs or not. If one forbids this, it falls an aggressor more heavily to reload harming programs from the InterNet. Since PHP the allow_url_include behavior regulates 5.2.0 separately for the instructions include() and require().

 

display_errors (recommended: off) switches the announcement from PHP error messages in or out. Which for the debugging is helpful, on the other hand also explanation about executions can give aggressors, which are helpful for further attacks.

 

disable_functions specify a list of closed PHP functions. In particular PHP applications, which were developed under security-results, make a large elbow around potenziell dangerous functions as exec(), so that their absence prepares frequently no problems for them -- many exploits in the circulation however very probably.

 

open_basedir (recommended: Web Home) limits the file operations the listing and in it contained sublists indicated by PHP on. It is possible to indicate several listings as a colon separately. Is important to terminate path data with a slash since they include otherwise also all listings, which begin with the indicated name.

 

register_globals (recommended: off) steers whether scripts get parameters from the URL or the post office data as global variables handed over or not. Many weak points in PHP applications can be used only if this is the case.

 

safe_mode (recommended: on) indicates whether PHP is to run in a special secured mode or not. It has extensive effects, for example takes place at file operations an additional UID check and that access to environment variables is reduced. PHP6 will not any longer contain it, because the developers of the opinion are that its functions do not lie in the field of a script language.

 

sql.safe_mode regulates a special treatment of registrations at data base servers. In this mode the PHP functions use for the data base registration exclusively the name system users, to which the script belongs. Since in Shared Webhosting environments the name of the data base user agrees nearly never with that it system users, there this option is applicable only extremely rarely.

 

A good secured php.ini has following contents:

 

[PHP]
register_globals = off
allow_url_fopen = off
safe_mode = on
open_basedir = <get-track>
disable_functions = exec,system,passthru,shell_exec,popen,escapeshellcmd,proc_open,proc_nice,ini_res
tore
display_errors = off

 

 

@ All

 

You have done the security-php yourself.

 

Now check it ............

 

Make a new .txt-file and copy insert:

<?php
phpinfo();
?>

 

Now, rename this file in "if you want".php

 

 

Upload this one in an admin-folder. An admin-folder should be secured by .htaccess.

 

Load this "if you want".php-file from your webbrowser ... and check your php.

 

 

Next step, we have to made new txt.-file and paste in:

 

User-agent: ActiveAgent
User-agent: Alexibot
User-agent: Aqua_Products
User-agent: AskJeeves
User-agent: BackDoorBot
User-agent: BackDoorBot 1.0
User-agent: BackDoorBot/1.0
User-agent: BackWeb
User-agent: BecomeBot
User-agent: Black Hole
User-agent: BlackWidow
User-agent: BlowFish
User-agent: BlowFish 1.0
User-agent: BlowFish/1.0
User-agent: Bookmark search tool
User-agent: BotALot
User-agent: BotRightHere
User-agent: BuiltBotTough
User-agent: Bullseye
User-agent: Bullseye/1.0
User-agent: BunnySlippers
User-agent: Cegbfeieh
User-agent: CheeseBot
User-agent: CherryPicker
User-agent: CherryPicker /1.0
User-agent: CherryPicker 1.0
User-agent: CherryPickerElite 1.0
User-agent: CherryPickerElite/1.0
User-agent: CherryPickerSE 1.0
User-agent: CherryPickerSE/1.0
User-agent: ChinaClaw
User-agent: Collector
User-agent: Copernic
User-agent: Copier
User-agent: CopyRightCheck
User-agent: Crescent
User-agent: Crescent Internet ToolPak HTTP OLE Control v.1.0
User-agent: Crescent Internet ToolPak HTTPOLE Control v.1.0
User-agent: DISCo
User-agent: DISCo Pump
User-agent: DISCo Pump 3.1
User-agent: DittoSpyder
User-agent: Download Demon
User-agent: Download Wonder
User-agent: Downloader
User-agent: Drip
User-agent: EirGrabber
User-agent: EmailCollector
User-agent: EmailCollector 1.0
User-agent: EmailSiphon
User-agent: EmailWolf
User-agent: EmailWolf 1.00
User-agent: Enterprise_Search
User-agent: Enterprise_Search/1.0
User-agent: EroCrawler
User-agent: Express WebPictures
User-agent: ExtractorPro
User-agent: EyeNetIE
User-agent: FairAd Client
User-agent: FileHound
User-agent: Flaming AttackBot
User-agent: FlashGet
User-agent: Foobot
User-agent: FreeFind
User-agent: Gaisbot
User-agent: GetRight
User-agent: GetRight/4.2
User-agent: GetSmart
User-agent: GetWeb!
User-agent: Go!Zilla
User-agent: Go-Ahead-Got-It
User-agent: Googlebot-Image
User-agent: GrabNet
User-agent: Grabber
User-agent: Grafula
User-agent: heritrix
User-agent: HLoader
User-agent: HMView
User-agent: HTTrack
User-agent: Harvest
User-agent: Harvest 1.5
User-agent: Harvest/1.5
User-agent: Hatena Antenna
User-agent: Image Stripper
User-agent: Image Sucker
User-agent: Indy Library
User-agent: InfoNaviRobot
User-agent: InterGET
User-agent: Internet Ninja
User-agent: Iria
User-agent: Iron33
User-agent: Iron33/1.0.2
User-agent: JOC
User-agent: JOC Web Spider
User-agent: Jeeves
User-agent: JennyBot
User-agent: JetCar
User-agent: Jetbot
User-agent: Jetbot/1.0
User-agent: JustView
User-agent: Kenjin Spider
User-agent: Keyword Density
User-agent: Keyword Density/0.9
User-agent: LNSpiderguy
User-agent: LexiBot
User-agent: LinkScan
User-agent: LinkScan/8.1a Unix
User-agent: LinkWalker
User-agent: LinkextractorPro
User-agent: MIDown tool
User-agent: MIIxpc
User-agent: MIIxpc/4.2
User-agent: MSIECrawler
User-agent: Mag-Net
User-agent: Magnet
User-agent: Mass Downloader
User-agent: Mata Hari
User-agent: Memo
User-agent: Microsoft URL Control
User-agent: Microsoft URL Control - 5.01.4511
User-agent: Microsoft URL Control - 6.00.8169
User-agent: Mirror
User-agent: Mister PiX
User-agent: Mozilla
User-agent: Mozilla/4.0 (compatible; BullsEye; Windows 95)
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 2000)
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 9
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 98)
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows ME)
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows NT)
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows XP)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AIRF)
User-agent: NICErsPRO
User-agent: NPBot
User-agent: Navroad
User-agent: NearSite
User-agent: Net Vampire
User-agent: NetAnts
User-agent: NetMechanic
User-agent: NetSpider
User-agent: NetZIP
User-agent: Ninja
User-agent: Nutch
User-agent: Octopus
User-agent: Offline Explorer
User-agent: Offline Navigator
User-agent: OmniExplorer_Bot
User-agent: Openbot
User-agent: Openfind
User-agent: Openfind data gathere
User-agent: Openfind data gatherer
User-agent: Oracle Ultra Search
User-agent: PageGrabber
User-agent: Papa Foto
User-agent: PerMan
User-agent: ProPowerBot
User-agent: ProPowerBot/2.14
User-agent: ProWebWalker
User-agent: Pump
User-agent: Python-urllib
User-agent: QueryN Metasearch
User-agent: RMA
User-agent: Radiation
User-agent: Radiation Retriever
User-agent: Radiation Retriever 1.1
User-agent: ReGet
User-agent: RealDownload
User-agent: Reaper
User-agent: Recorder
User-agent: RepoMonkey
User-agent: RepoMonkey Bait & Tackle/v1.01
User-agent: Roverbot
User-agent: Siphon
User-agent: SiteSnagger
User-agent: SmartDownload
User-agent: Snake
User-agent: SpaceBison
User-agent: SpankBot
User-agent: Stanford
User-agent: Stanford Comp Sci
User-agent: Sucker
User-agent: SuperBot
User-agent: SuperHTTP
User-agent: Surfbot
User-agent: Szukacz
User-agent: Szukacz/1.4
User-agent: Teleport
User-agent: Teleport Pro
User-agent: Teleport Pro/1.29.1590
User-agent: Teleport Pro/1.29.1616
User-agent: Teleport Pro/1.29.1632
User-agent: Teleport Pro/1.29.1718
User-agent: TeleportPro
User-agent: Telesoft
User-agent: Teoma
User-agent: The Intraformant
User-agent: TheNomad
User-agent: TightTwatBot
User-agent: Titan
User-agent: True_Robot
User-agent: True_Robot/1.0
User-agent: URL Control
User-agent: URL_Spider_Pro
User-agent: URLy Warning
User-agent: VCI
User-agent: VCI WebViewer VCI WebViewer Win32
User-agent: Vacuum
User-agent: VoidEYE
User-agent: WWW-Collector
User-agent: WWW-Collector-E
User-agent: WWWOFFLE
User-agent: WX_mail
User-agent: Web Image Collector
User-agent: Web Sucker
User-agent: WebAuto
User-agent: WebBandit
User-agent: WebBandit 2.1
User-agent: WebBandit 3.50
User-agent: WebBandit/3.50
User-agent: WebCapture 2.0
User-agent: WebCopier
User-agent: WebCopier v.2.2
User-agent: WebCopier v3.2a
User-agent: WebEMailExtrac.
User-agent: WebEMailExtractor 1.0B
User-agent: WebEnhancer
User-agent: WebFetch
User-agent: WebGo IS
User-agent: WebLeacher
User-agent: WebReaper
User-agent: WebSauger
User-agent: WebStripper
User-agent: WebVac
User-agent: WebWhacker
User-agent: WebZIP
User-agent: WebZIP/4.21
User-agent: WebZIP/5.0
User-agent: WebZip
User-agent: WebZip/4.0
User-agent: WebmasterWorld
User-agent: WebmasterWorld Extractor
User-agent: WebmasterWorldForumBot
User-agent: Website
User-agent: Website Quester
User-agent: Website eXtractor
User-agent: Webster
User-agent: Webster Pro
User-agent: Wget
User-agent: Wget/1.5.3
User-agent: Wget/1.6
User-agent: Whacker
User-agent: WhoWhere
User-agent: Widow
User-agent: Xaldon
User-agent: Xaldon/WebSpider
User-agent: Xenu\'s
User-agent: Xenu\'s Link Sleuth 1.1c
User-agent: Zeus
User-agent: Zeus 32297 Webster Pro V2.9 Win32
User-agent: Zeus Link Scout
User-agent: aconon Index
User-agent: asterias
User-agent: autoemailspider
User-agent: b2w
User-agent: b2w 0.1
User-agent: b2w/0.1
User-agent: cosmos
User-agent: dloader(naverrobot)/1.0
User-agent: dumbot
User-agent: eCatch
User-agent: emailcollector
User-agent: es
User-agent: gotit
User-agent: grub
User-agent: grub-client
User-agent: hloader
User-agent: httplib
User-agent: humanlinks
User-agent: ia_archiver
User-agent: ia_archiver/1.6
User-agent: larbin
User-agent: lftp
User-agent: libWeb
User-agent: libWeb/clsHTTP
User-agent: likse
User-agent: looksmart
User-agent: lwp-trivial
User-agent: lwp-trivial/1.34
User-agent: moget
User-agent: moget/2.1
User-agent: mozilla
User-agent: mozilla/3
User-agent: mozilla/4
User-agent: mozilla/5
User-agent: naver
User-agent: pavuk
User-agent: pcBrowser
User-agent: psbot
User-agent: scooter
User-agent: searchpreview
User-agent: sootle
User-agent: spanner
User-agent: suzuran
User-agent: tAkeOut
User-agent: toCrawl/UrlDispatcher
User-agent: turingos
User-agent: webbandit 4.00.0
Disallow: /

 

Rename this-txt-file in robots.txt and upload this file in root-web-folder.

 

 

Check it out agents here:

 

List of User-Agents

 

Prepare for PHP 6 - Core

 

Current PHP 5 Stable Release: 5.2.5

 

PHP 6 Core:

- Unicode

- Register Globals to go

- Magic Quotes to go

- Safe Mode to go

- 'var' to alias 'public'

- Return by Reference will error

- zend.ze1 compatbility mode to go

- Freetype 1 and GD 1 support to go

- dl() moves to SAPI only

- FastCGI always on

- Register Long Arrays to go

- Extension Movements

- PHP Engine Additions

 

n1o

Link to comment
Share on other sites

  • 4 weeks later...

Added on next php6 core:

 

64 bit integers

A new 64 bit integer will be added (int64). There will be no int32 (it is assumed unless you specify int64)

 

Goto

No 'goto' command will be added, but the break keyword will be extended with a static label - so you could do 'break foo' and it'll jump to the label foo: in your code.

 

ifsetor()

It looks like we won't be seeing this one, which is a shame. But instead the ?: operator will have the 'middle parameter' requirement dropped, which means you'd be able to do something like this: "$foo = $_GET['foo'] ?: 42;" (i.e. if foo is true, $foo will equal 42). This should save some code, but I personally don't think it is as 'readable' as ifsetor would have been.

 

foreach multi-dim arrays

This is a nice change - you'll be able to foreach through array lists, i.e. "foreach( $a as $k => list($a, $B))".

 

{} vs []

You can currently use both {} and [] to access string indexes. But the {} notation will raise an E_STRICT in PHP5.1 and will be gone totally in PHP6. Also the [] version will gain substr and array_slice functionality directly - so you could do "[2,]" to access characters 2 to the end, etc. Very handy.

Link to comment
Share on other sites

  • 4 weeks later...

4.8 Named Parameters

Issue: The functionality of named parameters was suggested. Named parameters allow you to "skip" certain parameters to functions. If it would be implemented, then it might look like:

 

<?php function foo ($a = 42, $b = 43, $c = 44, $d = 45) { // echos 42, 53, 54, 45 echo "$a $b $c $d\n"; } foo(c => 54, b => 53); ?> Discussion: We don't see the real need for named parameters, as they seem to violate PHP's KISS principle. It also makes for messier code.

 

Conclusions:

 

  1. We do not want to add it.

4.9 Make parameter order consistent over all functions

Issue: One point that people find annoying in PHP is the non-standard way of how parameters are ordered to functions. Because there is no consistent way, they always have to use the manual to see what the order is.

 

Discussion: We went over the string functions and found that there are only two functions that have "needle, haystack" instead of "haystack, needle", namely in_array() and array_search(). For in_array() it makes sense in a logical way to work in the same way as SQL, where you first specify the value, and then you check if it fits "in the array". As array_search() was modelled on this is_array() function the parameter order is the same.

 

As there are not many inconsistencies, and changing them would cause quite some problems for current applications we decided not to change the order.

 

Conclusions:

 

  1. We do not change parameter ordering for internal functions.

4.10 Minor function changes: microtime()

Issue: It was suggested that microtime(true) become the default behaviour. Currently if you pass no parameters the microtime function returns the current time as "microseconds <space> unix_timestamp".

 

Discussion: As you usually would want to have the full floating point number back, many people use the following snippet (and perhaps even wrap that in a function):

 

<?php $m = microtime(); $e = explode(' ', $m); echo $e[0] + $e[1], "\n"; ?> We want to change the behaviour to return a normal float straight away (which you can now do by passing "true" as first parameter). The following snippet:

 

<?php $m = microtime(true); echo $m, "\n"; $e = explode(' ', $m); echo $e[0] + $e[1], "\n"; ?> Throws only a notice, while the result is still correct. As it's only a notice, we feel safe enough to change the default behaviour to return a float. We do need to investigate what happens if any of the following values are passed though: none, null, false and true.

 

Conclusions:

 

  1. We will change the default behaviour of microtime() to return a float.

5. Changes to OO functionality

 

5.1 "function require __construct(" to force calling the parent's constructor

Issue: Some extensions such as PDO allow their classes to be inherited. The constructors of those inherited classes are required to call the extension class' constructor though as that one needs to initialise the internal structures. Currently there is no way in the engine to require this.

 

Discussion: In order to address this issue we need to add a flag internally that tells the engine that it should bail out if methods are called, but the extensions' constructor was not called yet. For this to work, we need to add a flag to the bottom most object in the hierarchy that is still an internal class. Add an additional class pointer to the class pointing to the constructor that should be called.

 

Conclusions:

 

  1. We add a flag to the class structure to record this
  2. We do not add new syntax for this to userland

5.2 Allow interfaces to specify the __construct() signature

Issue: Currently it is not possible to define a __construct() signature in an interface.

 

Discussion: We didn't see a reason why this shouldn't be allowed, but Andi seems to have a reason for it.

 

Conclusions:

 

  1. Zeev asks Andi why he doesn't want constructors in the interface. If there is no sound reason we add this possibility.

5.3 Implement inheritance rules for type hints

Issue: Currently we don't check inheritance rules for type-hinted parameters.

 

Discussion: Marcus explains with an example how inheritance rules for type-hinted parameters should work, and also mentions that most probably no language currently implements this correctly. This is not a very important check, and therefore we see no reason why we should implement this either.

 

Conclusions:

 

  1. We are not going to add the checks.

5.4 Late static binding using "this" without "$" (or perhaps with a different name)

Issue: Currently, the following script will print "A:static2":

 

<?php class A { static function staticA() { self::static2(); } static function static2() { echo "A::static2\n"; } } class B extends A { static function static2() { echo "B::static2\n"; } } B::staticA(); ?> Discussion: Currently there is no way do "runtime evaluating" of static members so that we can call B::static2() from A::staticA() and this is a useful feature. In order to implement this we need a new keyword to allow for this. As we do not want to introduce yet another reserved word the re-use of "static" was suggested for this.

 

The same example, but now with the call to "self::static2()" replaced with "static::static2()", will then print "B::static2".

 

Conclusions:

 

  1. We re-use the "static::" keyword to do runtime evaluation of statics.
  2. Marcus prepares an implementation suggestion.

5.5 Object casting to primitive types

Issue: PHP does not support a call-back when an object is cast to another (scalar) type.

 

Discussion: As PHP is a weekly typed language this kind of functionality does not make sense in PHP. We only leave the __toString() method which is called on a (string) cast. In PHP 5.1 the following already gives notices on the (int) and (double) casts, where the __toString() method is also correctly called:

 

<?php class a { function __toString() { return "string"; } } $a = new a; echo (int) $a, "\n"; echo (bool) $a, "\n"; echo (string) $a, "\n"; echo (float) $a, "\n"; ?> Conclusions:

 

  1. We will not add magic call-back functions for other casts.

5.6 name spaces

Issue: PHP currently has no name spaces, which some people find inconvenient as they are required to prefix all their classes with an unique prefix.

 

Discussion: First we briefly discussed the current name space patch, but as we were not all familiar with its workings we did not go into deep detail for this. Then we saw an alternative implementation of name spaces with "Modules". This is an example on how this should work:

 

<?php import M1 as M2; echo M2::$var,"\n"; echo M2::c,"\n"; echo M2::func(),"\n"; echo M2::C::func(),"\n"; var_dump(new M2::C); ?> M1.php:

 

<?php module M1 { var $var = "ok"; const c = "ok"; function func() { } class C { static function func() { return "ok"; } static private function bug() { echo "bug\n"; } } private class FOO { public class BAR { static function bug() { echo "bug\n"; } } } function bar() { return new M1::FOO(); } } ?> This approach suffers from a few problems:

 

  • When calling you still have to prefix all your classes.
  • You are forced into a specific naming scheme for your modules.

After the modules, we came up with some implementation guidelines on how we would like to see support for name spaces and decided we would only introduce them if the following rules could be implemented:

 

  • Implement a "name space" keyword that you can wrap around a class definition with {}.
  • Internally this adds <namespace-name> to the class names defined inside it separated by a separator. The following example would create the class "spl<separator>file":
     
    <?php namespace spl { class file { } } ?>
  • The suggested separator is "\" as this is the only free choice.
  • import will be request-wide and the import keyword copies class entries to it's new name
  • If we encounter a conflict due to importing we abort execution
  • "import spl\*" will copy all classes in the spl name spaces to the "normal" namespace which doesn't have a prefix.
  • Functions in name spaces are allowed.
  • Constants in name spaces are allowed unless we find problems with the implementation.
  • No variables are allowed in name spaces.

Conclusions:

 

  1. If we're going to do this, the name spaces look like above.
  2. Marcus is going to provide a patch.

5.7 Using an undefined property in a class with defined properties should throw a warning

Issue: Current PHP will not throw any warning with the following code, and will just create a new property:

 

<?php class foobar { public $supercalifragilisticexpialidoceous; function r

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.