| Current File : //etc/php-zts.d/40-suhosin.ini |
extension=suhosin.so
; =====================
; Logging Configuration
; =====================
; suhosin.log.syslog
; ------------------
; * Type: Integer
; * Default: S_ALL & ~S_SQL
;
; Defines what classes of security alerts are logged to the syslog daemon.
; Logging of errors of the class S_MEMORY are always logged to syslog, no matter
; what this configuration says, because a corrupted heap could mean that the
; other logging options will malfunction during the logging process.
;
; +------------+-----------+----------------------------------------------------+
; | Constant | Value | Description |
; +============+===========+====================================================+
; | S_MEMORY | 1 | All canary violations and the safe unlink |
; | | | protection use this class |
; +------------+-----------+----------------------------------------------------+
; | S_MISC | 2 | All log messages (f.e. format string protection) |
; | | | that do not fit in other classes use this class |
; +------------+-----------+----------------------------------------------------+
; | S_VARS | 4 | All variable filters trigger this class |
; +------------+-----------+----------------------------------------------------+
; | S_FILES | 8 | All violations triggered by the uploaded files |
; | | | filter use this class |
; +------------+-----------+----------------------------------------------------+
; | S_INCLUDE | 16 | The protection against malicious include filenames |
; | | | use this class |
; +------------+-----------+----------------------------------------------------+
; | S_SQL | 32 | Failed SQL queries are logged with this class |
; | | | (not yet supported in Suhosin BETA) |
; +------------+-----------+----------------------------------------------------+
; | S_EXECUTOR | 64 | The execution depth protection uses this logging |
; | | | class |
; +------------+-----------+----------------------------------------------------+
; | S_MAIL | 128 | The mail() header newline protection uses this |
; | | | logging class |
; +------------+-----------+----------------------------------------------------+
; | S_SESSION | 256 | The transparent session protection uses this |
; | | | logging class |
; +------------+-----------+----------------------------------------------------+
; | S_ALL | 511 | Combines all classes |
; +------------+-----------+----------------------------------------------------+
;
; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
; the numeric value, e.g. `suhosin.log.syslog=511`.
;
;suhosin.log.syslog = S_ALL & ~S_SQL
;
; suhosin.log.syslog.facility
; ---------------------------
; * Type: Integer
; * Default: LOG_USER
;
; Defines the syslog facility that is used when ALERTs are logged to syslog.
; Depending on your system type (syslogd) the following facilities are available.
; Please check your system's include header if the values are the same for your
; syslogd.
;
; +--------------+-------+
; | Constant | Value |
; +==============+=======+
; | LOG_KERN | 8 |
; +--------------+-------+
; | LOG_USER | 9 |
; +--------------+-------+
; | LOG_MAIL | 10 |
; +--------------+-------+
; | LOG_DAEMON | 11 |
; +--------------+-------+
; | LOG_AUTH | 12 |
; +--------------+-------+
; | LOG_SYSLOG | 13 |
; +--------------+-------+
; | LOG_LPR | 14 |
; +--------------+-------+
; | LOG_NEWS | 15 |
; +--------------+-------+
; | LOG_UUCP | 16 |
; +--------------+-------+
; | LOG_CRON | 17 |
; +--------------+-------+
; | LOG_AUTHPRIV | 18 |
; +--------------+-------+
; | LOG_LOCAL0 | 24 |
; +--------------+-------+
; | LOG_LOCAL1 | 25 |
; +--------------+-------+
; | LOG_LOCAL2 | 26 |
; +--------------+-------+
; | LOG_LOCAL3 | 27 |
; +--------------+-------+
; | LOG_LOCAL4 | 28 |
; +--------------+-------+
; | LOG_LOCAL5 | 29 |
; +--------------+-------+
; | LOG_LOCAL6 | 30 |
; +--------------+-------+
; | LOG_LOCAL7 | 31 |
; +--------------+-------+
;
;suhosin.log.syslog.facility = LOG_USER
;
; suhosin.log.syslog.priority
; ---------------------------
; * Type: Integer
; * Default: LOG_ALERT
;
; Defines the syslog priority that is used when ALERTs are logged to syslog.
; Depending on your system type (syslogd) the following priorities are available.
; Please check your system's include header if the values are the same for your
; syslogd.
;
; +------------+-------+
; |Constant | Value |
; +============+=======+
; |LOG_EMERG | 0 |
; +------------+-------+
; |LOG_ALERT | 1 |
; +------------+-------+
; |LOG_CRIT | 2 |
; +------------+-------+
; |LOG_WARNING | 3 |
; +------------+-------+
; |LOG_NOTICE | 4 |
; +------------+-------+
; |LOG_INFO | 5 |
; +------------+-------+
; |LOG_DEBUG | 6 |
; +------------+-------+
; |LOG_ERR | 7 |
; +------------+-------+
;
;suhosin.log.syslog.priority = LOG_ALERT
;
; suhosin.log.sapi
; ----------------
; * Type: Integer
; * Default: 0
;
; Defines what classes of security alerts are logged through the SAPI error log.
; For a list of available classes see table 1.
;
; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
; the numeric value.
;
;suhosin.log.sapi = 0
;
; suhosin.log.stdout
; ------------------
; * Type: Integer
; * Default: 0
;
; Defines what classes of security alerts are logged through STDOUT. For a list
; of available classes see table 1.
;
; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
; the numeric value.
;
; IMPORTANT NOTE: This option is meant for debugging purposes and unittests only
; and should not be used in production.
;
;suhosin.log.stdout = 0
;
; suhosin.log.file
; ----------------
; * Type: Integer
; * Default: 0
;
; Defines what classes of security alerts are logged to a separate Suhosin log
; file set by suhosin.log.file.name.
;
; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
; the numeric value.
;
;suhosin.log.file = 0
;
; suhosin.log.file.name
; ---------------------
; * Type: String
; * Default:
;
; Defines the full path to a dedicated Suhosin log file.
;
;suhosin.log.file.name =
;
; suhosin.log.file.time
; ---------------------
; * Type: Boolean
; * Default: On
;
; Specifies if suhosin.log.file contains timestamp for each log entry.
;
; IMPORTANT NOTE: This option is meant for debugging purposes and unittests only
; and should not be used in production.
;
;suhosin.log.file.time = On
;
; suhosin.log.script
; ------------------
; * Type: Integer
; * Default: 0
;
; Defines what classes of security alerts are logged through the external logging
; script. For a list of available classes see table 1. An exception is the
; S_MEMORY class. It cannot be logged by a script, because S_MEMORY is triggered
; by buffer overflows etc... which means the process is in an unstable state.
;
; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
; the numeric value.
;
;suhosin.log.script = 0
;
; suhosin.log.script.name
; -----------------------
; * Type: String
; * Default:
;
; Defines the full path to an external logging script. The script is called with
; 2 parameters. The first one is the alert class in string notation and the
; second parameter is the log message. This can be used for example to mail
; failing MySQL queries to your email address, because on a production system
; these things should never happen (S_SQL not yet supported by Suhosin).
;
;suhosin.log.script.name =
;
; suhosin.log.phpscript
; ---------------------
; * Type: Integer
; * Default: 0
;
; Defines what classes of security alerts are logged through the defined PHP
; script. For a list of available classes see table 1. Please notice, that only
; those classes are allowed, that can be triggered during script execution. An
; exception is the S_MEMORY class. It cannot be logged by a PHP script, because
; S_MEMORY is triggered by buffer overflows etc... which means the process is in
; an unstable state.
;
; Using constant names is only supported with the Suhosin-Patch. If in doubt, use
; the numeric value.
;
;suhosin.log.phpscript = 0
;
; suhosin.log.phpscript.name
; --------------------------
; * Type: String
; * Default:
;
; Defines the full path to a PHP logging script. The script is called with 2
; variables registered in the current scope: SUHOSIN_ERRORCLASS and
; SUHOSIN_ERROR. The first one is the alert class and the second variable is the
; log message. This can be used for example to mail attempted remote URL include
; attacks to your email address.
;
;suhosin.log.phpscript.name =
;
; suhosin.log.phpscript.is_safe
; -----------------------------
; * Type: Boolean
; * Default: Off
;
; Disables open_basedir (and safe_mode for older PHP versions < 5.4) when
; executing suhosin.log.phpscript.name.
;
;suhosin.log.phpscript.is_safe = Off
;
; suhosin.log.use-x-forwarded-for
; -------------------------------
; * Type: Boolean
; * Default: Off
;
; When the Suhosin logs an error the log message also contains the IP of the
; attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI environment
; variable. With this switch it is possible to change this behavior to read the
; IP from the X-Forwarded-For HTTP header. This is for example necessary when
; your PHP server runs behind a reverse proxy.
;
;suhosin.log.use-x-forwarded-for = Off
;
; ================
; Executor Options
; ================
; suhosin.executor.max_depth
; --------------------------
; * Type: Integer
; * Default: 750
;
; Defines the maximum stack depth allowed by the executor before it stops the
; script. Without this function an endless recursion in a PHP script could crash
; the PHP executor or trigger the configured memory_limit. A value of '0'
; disables this feature.
;
; (Before 0.9.37, the default value was 0.)
;
;suhosin.executor.max_depth = 750
;
; suhosin.executor.include.max_traversal
; --------------------------------------
; * Type: Integer
; * Default: 0
;
; Defines how many '../' an include filename needs to contain to be considered an
; attack and stopped. A value of '2' will block '../../etc/passwd', while a value
; of '3' will allow it. Most PHP applications should work flawlessly with values
; '4' or '5'. A value of '0' disables this feature.
;
;suhosin.executor.include.max_traversal = 0
;
; suhosin.executor.include.whitelist
; ----------------------------------
; * Type: String
; * Default:
;
; Comma separated whitelist of URL schemes that are allowed to be included from
; include or require statements. Additionally to URL schemes it is possible to
; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
; specified, then the blacklist is evaluated.
;
; Notes:
;
; * This setting deactivates suhosin.executor.include.blacklist.
; * If both suhosin.executor.include.whitelist and
; suhosin.executor.include.blacklist are unset or empty, all URLs will be
; blocked. This is the default.
;
;suhosin.executor.include.whitelist =
;
; suhosin.executor.include.blacklist
; ----------------------------------
; * Type: String
; * Default:
;
; Comma separated blacklist of URL schemes that are not allowed to be included
; from include or require statements. Additionally to URL schemes it is possible
; to specify the beginning of allowed URLs. (f.e.: php://stdin) If no blacklist
; and no whitelist is specified all URL schemes are forbidden.
;
;suhosin.executor.include.blacklist =
;
; suhosin.executor.include.allow_writable_files
; ---------------------------------------------
; * Type: Boolean
; * Default: On
;
; Turn this flag off to prevent PHP from executing writable PHP files. This can
; prevent attackers from executing code that was uploaded before.
;
; Note: Some software such as web-installers or web-based plugin installers won't
; work out of the box with this flag turned off.
;
;suhosin.executor.include.allow_writable_files = On
;
; suhosin.executor.func.whitelist
; -------------------------------
; * Type: String
; * Default:
;
; Comma separated whitelist of functions that are allowed to be called. If the
; whitelist is empty the blacklist is evaluated, otherwise calling a function not
; in the whitelist will terminate the script and get logged.
;
; Note: This setting deactivates suhosin.executor.func.blacklist.
;
;suhosin.executor.func.whitelist =
;
; suhosin.executor.func.blacklist
; -------------------------------
; * Type: String
; * Default:
;
; Comma separated blacklist of functions that are not allowed to be called. If no
; whitelist is given, calling a function within the blacklist will terminate the
; script and get logged.
;
;suhosin.executor.func.blacklist =
;
; suhosin.executor.eval.whitelist
; -------------------------------
; * Type: String
; * Default:
;
; Comma separated whitelist of functions that are allowed to be called from
; within eval(). If the whitelist is empty the blacklist is evaluated, otherwise
; calling a function not in the whitelist will terminate the script and get
; logged. Please read the instructions carefully.
;
; Note: This setting deactivates suhosin.executor.eval.blacklist.
;
;suhosin.executor.eval.whitelist =
;
; suhosin.executor.eval.blacklist
; -------------------------------
; * Type: String
; * Default:
;
; Comma separated blacklist of functions that are not allowed to be called from
; within eval(). If no whitelist is given, calling a function within the
; blacklist will terminate the script and get logged. Please read the
; instructions carefully.
;
;suhosin.executor.eval.blacklist =
;
; suhosin.executor.disable_eval
; -----------------------------
; * Type: Boolean
; * Default: Off
;
; eval() is a very dangerous statement and therefore you might want to disable it
; completely. Deactivating it will however break lots of scripts. Because every
; violation is logged, this allows finding all places where eval() is used.
;
;suhosin.executor.disable_eval = Off
;
; suhosin.executor.disable_emodifier
; ----------------------------------
; * Type: Boolean
; * Default: Off
;
; The /e modifier inside preg_replace() allows code execution. Often it is the
; cause for remote code execution exploits. It is wise to deactivate this feature
; and test where in the application it is used. The developer using the /e
; modifier should be made aware that he should use preg_replace_callback()
; instead.
;
;suhosin.executor.disable_emodifier = Off
;
; suhosin.executor.allow_symlink
; ------------------------------
; * Type: Boolean
; * Default: Off
;
; This flag reactivates symlink() when open_basedir is used, which is disabled by
; default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used is
; actually a security risk.
;
;suhosin.executor.allow_symlink = Off
;
; ============
; Misc Options
; ============
; suhosin.simulation
; ------------------
; * Type: Boolean
; * Default: Off
;
; If you fear that Suhosin breaks your application, you can activate Suhosin's
; simulation mode with this flag. When Suhosin runs in simulation mode,
; violations are logged as usual, but nothing is blocked or removed from the
; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
;
;suhosin.simulation = Off
;
; suhosin.perdir
; --------------
; * Type: String
; * Default: "0"
;
; Allow certain categories of config directives to be changed by .htaccess for
; each directory individually. Possible values are "l" (log), "e" (exec), "g"
; (get), "c" (cookie), "p" (post), "r" (request), "s" (sql), "u" (upload), "m"
; (misc) or any combination, e.g. "legcprsum" to allow everything. Both "0" and
; no value disable this feature.
;
;suhosin.perdir = "0"
;
; suhosin.protectkey
; ------------------
; * Type: Boolean
; * Default: On
;
; Prevent Suhosin's secret key material (suhosin.cookie.cryptkey,
; suhosin.session.cryptkey, suhosin.rand.seedingkey) from being exposed by
; phpinfo().
;
;suhosin.protectkey = On
;
; suhosin.coredump
; ----------------
; * Type: Boolean
; * Default: Off
;
; Controls if suhosin coredumps when the optional suhosin patch detects a buffer
; overflow, memory corruption or double free. This is only for debugging purposes
; and should not be activated.
;
;suhosin.coredump = Off
;
; suhosin.stealth
; ---------------
; * Type: Boolean
; * Default: On
;
; controls if suhosin loads in stealth mode when it is not the only
; zend_extension (Required for full compatibility with certain encoders that
; consider open source untrusted. e.g. ionCube, Zend)
;
;suhosin.stealth = On
;
; suhosin.apc_bug_workaround
; --------------------------
; * Type: Boolean
; * Default: Off
;
; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
; will overwrite the information Suhosin stores in this slot. When this flag is
; set Suhosin will request 2 Slots and use the second one. This allows working
; correctly with these buggy APC versions.
;
;suhosin.apc_bug_workaround = Off
;
; suhosin.disable.display_errors
; ------------------------------
; * Type: String
; * Default: 0
;
; Prevent PHP from setting display_errors programmatically. "0" means off. Any
; one of "1", "on", "yes", "true" means on. "fail" or "2" (or greater values)
; will let PHP know that the value change failed.
;
;suhosin.disable.display_errors = 0
;
; suhosin.multiheader
; -------------------
; * Type: Boolean
; * Default: Off
;
; This directive controls if multiple headers are allowed or not in a header()
; call. By default the Suhosin forbids this. (HTTP headers spanning multiple
; lines are still allowed).
;
;suhosin.multiheader = Off
;
; suhosin.mail.protect
; --------------------
; * Type: Integer
; * Default: 0
;
; This directive controls if the mail() header protection is activated or not and
; to what degree it is activated. The appended table lists the possible
; activation levels.
;
; +-------+--------------------------------------------------------------------+
; | Value | Description |
; +=======+====================================================================+
; | 0 | mail() header protection is disabled |
; +-------+--------------------------------------------------------------------+
; | 1 | Disallows newlines in Subject:, To: headers and double newlines in |
; | | additional headers |
; +-------+--------------------------------------------------------------------+
; | 2 | Additionally disallows To:, CC:, BCC: in additional headers |
; +-------+--------------------------------------------------------------------+
;
; Logging of this class of alerts is controlled by the new S_MAIL constant.
;
;suhosin.mail.protect = 0
;
; suhosin.memory_limit
; --------------------
; * Type: Integer
; * Default: 0
;
; As long scripts are not running within safe_mode they are free to change the
; memory_limit to whatever value they want. Suhosin changes this fact and
; disallows setting the memory_limit to a value greater than the one the script
; started with, when this option is left at 0. A value greater than 0 means that
; Suhosin will disallow scripts setting the memory_limit to a value above this
; configured hard limit. This is for example useful if you want to run the script
; normally with a limit of 16M but image processing scripts may raise it to 20M.
;
;suhosin.memory_limit = 0
;
; ========================
; SQL Injection Protection
; ========================
; suhosin.sql.bailout_on_error
; ----------------------------
; * Type: Boolean
; * Default: Off
;
; (Planned feature. This is not yet supported.) When an SQL Query fails scripts
; often spit out a bunch of useful information for possible attackers. When this
; configuration directive is turned on, the script will silently terminate, after
; the problem has been logged.
;
;suhosin.sql.bailout_on_error = Off
;
; suhosin.sql.user_match
; ----------------------
; * Type: String
; * Default:
;
; (introduced in 0.9.37) The SQL username must match this wildcard pattern or the
; connect function will fail and return FALSE. Example: `suhosin.sql.user_match =
; public_*`
;
;suhosin.sql.user_match =
;
; suhosin.sql.user_prefix
; -----------------------
; * Type: String
; * Default:
;
; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a prefix that is automatically
; prepended to the database username, whenever a database connection is made.
; (Unless the username starts with the prefix)
;
; With this feature it is possible for shared hosters to disallow customers to
; connect with the usernames of other customers. This feature is experimental,
; because support for PDO and PostgreSQL are not yet implemented.
;
;suhosin.sql.user_prefix =
;
; suhosin.sql.user_postfix
; ------------------------
; * Type: String
; * Default:
;
; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a postfix that is automatically
; appended to the database username, whenever a database connection is made.
; (Unless the username end with the postfix)
;
; With this feature it is possible for shared hosters to disallow customers to
; connect with the usernames of other customers. This feature is experimental,
; because support for PDO and PostgreSQL are not yet implemented.
;
;suhosin.sql.user_postfix =
;
; suhosin.sql.comment
; -------------------
; * Type: Integer
; * Default: 0
;
; This is an experimental feature. Alert if an SQL query contains one or more
; comments starting with --, /* or #. A value of 1 logs the alert; 2 or greater
; let the call fail.
;
; Note: Mysql conditional statements starting with ``/*!`` are exempt if used
; with Mysqli.
;
;suhosin.sql.comment = 0
;
; suhosin.sql.opencomment
; -----------------------
; * Type: Integer
; * Default: 0
;
; This is an experimental feature.
; Alert if a MySQL comment was started but not closed: ``/*`` without ``*/``. A
; value of 1 logs the alert; 2 or greater let the call fail.
;
;suhosin.sql.opencomment = 0
;
; suhosin.sql.multiselect
; -----------------------
; * Type: Integer
; * Default: 0
;
; This is an experimental feature.
; Alert if an SQL query contains more than one SELECT statement. A value of 1
; logs the alert; 2 or greater let the call fail.
;
; Note: This flag will recognise multiple statements as well as subselects, e.g.
; "SELECT 1; SELECT 2" and "SELECT * FROM (SELECT 1)".
;
;suhosin.sql.multiselect = 0
;
; suhosin.sql.union
; -----------------
; * Type: Integer
; * Default: 0
;
; This is an experimental feature.
; Alert if an SQL query contains one or more UNIONs.
; A value of 1 logs the alert; 2 or greater let the call fail.
;
;suhosin.sql.union = 0
;
; ==============================
; Transparent Encryption Options
; ==============================
; suhosin.session.encrypt
; -----------------------
; * Type: Boolean
; * Default: On
;
; Flag that decides if the transparent session encryption is activated or not.
;
;suhosin.session.encrypt = On
;
; suhosin.session.cryptkey
; ------------------------
; * Type: String
; * Default:
;
; Session data can be encrypted transparently. The encryption key used consists
; of this user defined string (which can be altered by a script via ini_set())
; and optionally the User-Agent, the Document-Root and 0-4 octects of the
; REMOTE_ADDR.
;
;suhosin.session.cryptkey =
;
; suhosin.session.cryptua
; -----------------------
; * Type: Boolean
; * Default: Off
;
; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little bit
; protection against session fixation/hijacking attacks)
;
;suhosin.session.cryptua = Off
;
; suhosin.session.cryptdocroot
; ----------------------------
; * Type: Boolean
; * Default: On
;
; Flag that decides if the transparent session encryption key depends on the
; Documentroot field.
;
;suhosin.session.cryptdocroot = On
;
; suhosin.session.cryptraddr
; --------------------------
; * Type: Integer
; * Default: 0
;
; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes during
; a session. But this feature might be interesting for admin interfaces or
; intranets. When used wisely this is a transparent protection against session
; hijacking/fixation. This feature supports IPv4 only.
;
;suhosin.session.cryptraddr = 0
;
; suhosin.session.checkraddr
; --------------------------
; * Type: Integer
; * Default: 0
;
; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; session. The difference to suhosin.session.cryptaddr is, that the IP is not
; part of the encryption key, so that the same session can be used for different
; areas with different protection levels on the site. This feature supports IPv4
; only.
;
;suhosin.session.checkraddr = 0
;
; suhosin.cookie.encrypt
; ----------------------
; * Type: Boolean
; * Default: Off
;
; Flag that decides if the transparent cookie encryption is activated or not.
;
;suhosin.cookie.encrypt = Off
;
; suhosin.cookie.cryptkey
; -----------------------
; * Type: String
; * Default:
;
; Cookies can be encrypted transparently. The encryption key used consists of
; this user defined string and optionally the User-Agent, the Document-Root and
; 0-4 octects of the REMOTE_ADDR.
;
;suhosin.cookie.cryptkey =
;
; suhosin.cookie.cryptua
; ----------------------
; * Type: Boolean
; * Default: On
;
; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little bit
; protection against session fixation/hijacking attacks (if only session cookies
; are allowed))
;
;suhosin.cookie.cryptua = On
;
; suhosin.cookie.cryptdocroot
; ---------------------------
; * Type: Boolean
; * Default: On
;
; Flag that decides if the transparent cookie encryption key depends on the
; Documentroot field.
;
;suhosin.cookie.cryptdocroot = On
;
; suhosin.cookie.cryptraddr
; -------------------------
; * Type: Integer
; * Default: 0
;
; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes during
; a session. But this feature might be interesting for admin interfaces or
; intranets. When used wisely this is a transparent protection against session
; hijacking/fixation. This feature supports IPv4 only.
;
;suhosin.cookie.cryptraddr = 0
;
; suhosin.cookie.checkraddr
; -------------------------
; * Type: Integer
; * Default: 0
;
; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not part
; of the encryption key, so that the same cookie can be used for different areas
; with different protection levels on the site. This feature supports IPv4 only.
;
;suhosin.cookie.checkraddr = 0
;
; suhosin.cookie.cryptlist
; ------------------------
; * Type: String
; * Default:
;
; In case not all cookies are supposed to get encrypted this is a comma separated
; list of cookie names that should get encrypted. All other cookies will not get
; touched.
;
;suhosin.cookie.cryptlist =
;
; suhosin.cookie.plainlist
; ------------------------
; * Type: String
; * Default:
;
; In case some cookies should not be encrypted this is a comma separated list of
; cookies that do not get encrypted. All other cookies will be encrypted.
;
; Note: This setting deactivates suhosin.cookie.cryptlist.
;
;suhosin.cookie.plainlist =
;
; =================
; Filtering Options
; =================
; suhosin.filter.action
; ---------------------
; * Type: Mixed
; * Default:
;
; Defines the reaction of Suhosin on a filter violation. Following possible
; actions are supported
;
; +-------------------------------+--------------------------------------------+
; | Type | Description |
; +===============================+============================================+
; | | Normal action is simply blocking the |
; | | variable from being registered |
; +-------------------------------+--------------------------------------------+
; | 402 | Do not execute the script and return a |
; | | HTTP 402 response code |
; +-------------------------------+--------------------------------------------+
; | [302,]http://www.example.com | Redirect to http://www.example.com instead |
; | | of executing. Optionally set a specific |
; | | HTTP response code |
; +-------------------------------+--------------------------------------------+
; | [402,]/var/scripts/badguy.php | Execute a specific PHP script instead of |
; | | the requested script. Optionally set a |
; | | specific HTTP response code |
; +-------------------------------+--------------------------------------------+
;
;suhosin.filter.action =
;
; suhosin.cookie.max_array_depth
; ------------------------------
; * Type: Integer
; * Default: 50
;
; Defines the maximum depth an array variable may have, when registered through
; the COOKIE.
;
; Note: Array depth is not the number of elements within an array.
;
;suhosin.cookie.max_array_depth = 50
;
; suhosin.cookie.max_array_index_length
; -------------------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum length of array indices for variables registered through
; the COOKIE.
;
;suhosin.cookie.max_array_index_length = 64
;
; suhosin.cookie.max_name_length
; ------------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum length of variable names for variables registered through
; the COOKIE. For array variables this is the name in front of the indices.
;
;suhosin.cookie.max_name_length = 64
;
; suhosin.cookie.max_totalname_length
; -----------------------------------
; * Type: Integer
; * Default: 256
;
; Defines the maximum length of the total variable name when registered through
; the COOKIE. For array variables this includes all indices.
;
;suhosin.cookie.max_totalname_length = 256
;
; suhosin.cookie.max_value_length
; -------------------------------
; * Type: Integer
; * Default: 10000
;
; Defines the maximum length of a variable that is registered through the COOKIE.
;
;suhosin.cookie.max_value_length = 10000
;
; suhosin.cookie.max_vars
; -----------------------
; * Type: Integer
; * Default: 100
;
; Defines the maximum number of variables that may be registered through the
; COOKIE.
;
;suhosin.cookie.max_vars = 100
;
; suhosin.cookie.disallow_nul
; ---------------------------
; * Type: Boolean
; * Default: On
;
; When set to On ASCIIZ chars are not allowed in variables.
;
;suhosin.cookie.disallow_nul = On
;
; suhosin.cookie.disallow_ws
; --------------------------
; * Type: Boolean
; * Default: On
;
; Ignore cookies with names starting with whitespace.
;
;suhosin.cookie.disallow_ws = On
;
; suhosin.get.max_array_depth
; ---------------------------
; * Type: Integer
; * Default: 50
;
; Defines the maximum depth an array variable may have, when registered through
; the URL.
;
; Note: Array depth is not the number of elements within an array.
;
;suhosin.get.max_array_depth = 50
;
; suhosin.get.max_array_index_length
; ----------------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum length of array indices for variables registered through
; the URL.
;
;suhosin.get.max_array_index_length = 64
;
; suhosin.get.max_name_length
; ---------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum length of variable names for variables registered through
; the URL. For array variables this is the name in front of the indices.
;
;suhosin.get.max_name_length = 64
;
; suhosin.get.max_totalname_length
; --------------------------------
; * Type: Integer
; * Default: 256
;
; Defines the maximum length of the total variable name when registered through
; the URL. For array variables this includes all indices.
;
;suhosin.get.max_totalname_length = 256
;
; suhosin.get.max_value_length
; ----------------------------
; * Type: Integer
; * Default: 512
;
; Defines the maximum length of a variable that is registered through the URL.
;
;suhosin.get.max_value_length = 512
;
; suhosin.get.max_vars
; --------------------
; * Type: Integer
; * Default: 100
;
; Defines the maximum number of variables that may be registered through the URL.
;
;suhosin.get.max_vars = 100
;
; suhosin.get.disallow_nul
; ------------------------
; * Type: Boolean
; * Default: On
;
; When set to On ASCIIZ chars are not allowed in variables.
;
;suhosin.get.disallow_nul = On
;
; suhosin.get.disallow_ws
; -----------------------
; * Type: Boolean
; * Default: Off
;
; Ignore GET parameters with names starting with whitespace.
;
;suhosin.get.disallow_ws = Off
;
; suhosin.post.max_array_depth
; ----------------------------
; * Type: Integer
; * Default: 50
;
; Defines the maximum depth an array variable may have, when registered through a
; POST request.
;
; Note: Array depth is not the number of elements within an array.
;
;suhosin.post.max_array_depth = 50
;
; suhosin.post.max_array_index_length
; -----------------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum length of array indices for variables registered through a
; POST request.
;
;suhosin.post.max_array_index_length = 64
;
; suhosin.post.max_name_length
; ----------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum length of variable names for variables registered through a
; POST request. For array variables this is the name in front of the indices.
;
;suhosin.post.max_name_length = 64
;
; suhosin.post.max_totalname_length
; ---------------------------------
; * Type: Integer
; * Default: 256
;
; Defines the maximum length of the total variable name when registered through a
; POST request. For array variables this includes all indices.
;
;suhosin.post.max_totalname_length = 256
;
; suhosin.post.max_value_length
; -----------------------------
; * Type: Integer
; * Default: 1000000
;
; Defines the maximum length of a variable that is registered through a POST
; request.
;
;suhosin.post.max_value_length = 1000000
;
; suhosin.post.max_vars
; ---------------------
; * Type: Integer
; * Default: 1000
;
; Defines the maximum number of variables that may be registered through a POST
; request.
;
;suhosin.post.max_vars = 1000
;
; suhosin.post.disallow_nul
; -------------------------
; * Type: Boolean
; * Default: On
;
; When set to On ASCIIZ chars are not allowed in variables.
;
;suhosin.post.disallow_nul = On
;
; suhosin.post.disallow_ws
; ------------------------
; * Type: Boolean
; * Default: Off
;
; Ignore POST parameters with names starting with whitespace.
;
;suhosin.post.disallow_ws = Off
;
; suhosin.request.array_index_blacklist
; -------------------------------------
; * Type: String
; * Default: "'\"+<>;()"
;
; Defines a character blacklist for array indices not allowed in user input.
;
; Note: The default value also contained '-' in 0.9.37, which was removed in
; 0.9.37.1 due to incompatibility issues.
;
;suhosin.request.array_index_blacklist = "'\"+<>;()"
;
; suhosin.request.array_index_whitelist
; -------------------------------------
; * Type: String
; * Default:
; * Example: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
;
; Defines a character whitelist for array indices allowed in user input.
;
; Note: This setting deactivates suhosin.request.array_index_blacklist.
;
;suhosin.request.array_index_whitelist =
;
; suhosin.request.max_array_depth
; -------------------------------
; * Type: Integer
; * Default: 50
;
; Defines the maximum depth an array variable may have, when registered through
; GET , POST or COOKIE. This setting is also an upper limit for the separate GET,
; POST, COOKIE configuration directives.
;
; Note: Array depth is not the number of elements within an array.
;
;suhosin.request.max_array_depth = 50
;
; suhosin.request.max_array_index_length
; --------------------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum length of array indices for variables registered through
; GET, POST or COOKIE. This setting is also an upper limit for the separate GET,
; POST, COOKIE configuration directives.
;
;suhosin.request.max_array_index_length = 64
;
; suhosin.request.max_totalname_length
; ------------------------------------
; * Type: Integer
; * Default: 256
;
; Defines the maximum length of variable names for variables registered through
; the COOKIE, the URL or through a POST request. This is the complete name
; string, including all indices. This setting is also an upper limit for the
; separate GET, POST, COOKIE configuration directives.
;
;suhosin.request.max_totalname_length = 256
;
; suhosin.request.max_value_length
; --------------------------------
; * Type: Integer
; * Default: 1000000
;
; Defines the maximum length of a variable that is registered through the COOKIE,
; the URL or through a POST request. This setting is also an upper limit for the
; variable origin specific configuration directives.
;
;suhosin.request.max_value_length = 1000000
;
; suhosin.request.max_vars
; ------------------------
; * Type: Integer
; * Default: 1000
;
; Defines the maximum number of variables that may be registered through the
; COOKIE, the URL or through a POST request. This setting is also an upper limit
; for the variable origin specific configuration directives.
;
;suhosin.request.max_vars = 1000
;
; suhosin.request.max_varname_length
; ----------------------------------
; * Type: Integer
; * Default: 64
;
; Defines the maximum name length (excluding possible array indices) of variables
; that may be registered through the COOKIE, the URL or through a POST request.
; This setting is also an upper limit for the variable origin specific
; configuration directives.
;
;suhosin.request.max_varname_length = 64
;
; suhosin.request.disallow_nul
; ----------------------------
; * Type: Boolean
; * Default: On
;
; When set to On ASCIIZ chars are not allowed in variables.
;
;suhosin.request.disallow_nul = On
;
; suhosin.request.disallow_ws
; ---------------------------
; * Type: Boolean
; * Default: Off
;
; Ignore all variables with names starting with whitespace.
;
;suhosin.request.disallow_ws = Off
;
; suhosin.upload.max_uploads
; --------------------------
; * Type: Integer
; * Default: 25
;
; Defines the maximum number of files that may be uploaded with one request.
;
;suhosin.upload.max_uploads = 25
;
; suhosin.upload.max_newlines
; ---------------------------
; * Type: Integer
; * Default: 100
;
; Defines the maximum number of newlines in rfc1867 mime headers.
; (added with version 0.9.38)
;
;suhosin.upload.max_newlines = 100
;
; suhosin.upload.disallow_elf
; ---------------------------
; * Type: Boolean
; * Default: On
;
; When set to On it is not possible to upload ELF executables.
;
;suhosin.upload.disallow_elf = On
;
; suhosin.upload.disallow_binary
; ------------------------------
; * Type: Boolean
; * Default: Off
;
; When set to On it is not possible to upload binary files.
;
;suhosin.upload.disallow_binary = Off
;
; suhosin.upload.remove_binary
; ----------------------------
; * Type: Boolean
; * Default: Off
;
; When set to On binary content is removed from the uploaded files.
;
;suhosin.upload.remove_binary = Off
;
; suhosin.upload.allow_utf8
; -------------------------
; * Type: Boolean
; * Default: Off
;
; This is an experimental feature. This option allows UTF-8 along with ASCII when
; using `suhosin.upload.disallow_binary` or `suhosin.upload.remove_binary`.
;
;suhosin.upload.allow_utf8 = Off
;
; suhosin.upload.verification_script
; ----------------------------------
; * Type: String
; * Default:
;
; This defines the full path to a verification script for uploaded files. The
; script gets the temporary filename supplied and has to decide if the upload is
; allowed. A possible application for this is to scan uploaded files for viruses.
; The called script has to write a 1 as first line to standard output to allow
; the upload. Any other value or no output at all will result in the file being
; deleted.
;
;suhosin.upload.verification_script =
;
; suhosin.session.max_id_length
; -----------------------------
; * Type: Integer
; * Default: 128
;
; Specifies the maximum length of the session identifier that is allowed. When a
; longer session identifier is passed a new session identifier will be created.
; This feature is important to fight buffer overflows in 3rd party session
; handlers.
;
;suhosin.session.max_id_length = 128
;
; suhosin.server.encode
; ---------------------
; * Type: Boolean
; * Default: On
;
; Encode potentially dangerous characters in REQUEST_URI and QUERY_STRING with
; URL encoding.
;
;suhosin.server.encode = On
;
; suhosin.server.strip
; --------------------
; * Type: Boolean
; * Default: On
;
; Replace potentially dangerous characters in PHP_SELF, PATH_INFO,
; PATH_TRANSLATED and HTTP_USER_AGENT with '?'.
;
;suhosin.server.strip = On
;
; suhosin.rand.seedingkey
; -----------------------
; * Type: String
; * Default:
;
; This string is added to the entropy pool for seeding the random number
; generator.
;
;suhosin.rand.seedingkey =
;
; suhosin.rand.reseed_every_request
; ---------------------------------
; * Type: Boolean
; * Default: Off
;
; Controls if automatic reseeding of rand() / mt_rand() is done for every new
; request. Will improve security but decrease performance. In case the system's
; entry pool is exhausted, this flag may either significantly increase execution
; time or otherwise use less entropy (which is bad).
;
;suhosin.rand.reseed_every_request = Off
;
; suhosin.srand.ignore
; --------------------
; * Type: Boolean
; * Default: On
;
; Flag that controls if calls to srand() are ignored in favour of Suhosin's own
; enhanced seeding - since 0.9.36 calls will trigger auto-reseeding.
;
;suhosin.srand.ignore = On
;
; suhosin.mt_srand.ignore
; -----------------------
; * Type: Boolean
; * Default: On
;
; Flag that controls if calls to mt_srand() are ignored in favour of Suhosin's
; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding.
;
;suhosin.mt_srand.ignore = On
;