Configuration

Hardening-Patch‘s features are all configured through the php.ini configuration file. Here you can find descriptions of all supported options.

For most users the Hardening-Patch will work out of the box without any change to the default configuration needed.

Logging Configuration

hphp.log.syslog

  • Type: Integer
  • Default: S_ALL & ~S_SQL

Defines what classes of security alerts are logged to the syslog daemon. Logging of errors of the class S_MEMORY are always logged to syslog, no matter what this configuration says, because a corrupted heap could mean that the other logging options will malfunction during the logging process.

Constant Description
S_MEMORY All canary violations and the safe unlink protection use this class
S_VARS All variable filters trigger this class
S_FILES All violations triggered by the uploaded files filter use this class
S_INCLUDE The protection against malicious include filenames use this class
S_SQL Failed SQL queris are logged with this class
S_EXECUTOR The execution depth protection uses this logging class
S_MAIL The mail() header newline protection uses this logging class
S_MISC All other log messages (f.e. format string protection) use this class
S_ALL Combines all classes

hphp.log.syslog.facility

  • Type: Integer
  • Default: LOG_USER

Defines the syslog facility that is used when ALERTs are logged to syslog. Depending on your system type the following constants are available:

LOG_KERN LOG_USER LOG_MAIL LOG_DAEMON
LOG_AUTH LOG_SYSLOG LOG_LPR LOG_NEWS
LOG_UUCP LOG_CRON LOG_AUTHPRIV LOG_LOCAL0
LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4
LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_PID
LOG_CONS LOG_ODELAY LOG_NDELAY LOG_NOWAIT
LOG_PERROR

hphp.log.syslog.priority

  • Type: Integer
  • Default: LOG_ALERT

Defines the syslog priority that is used when ALERTs are logged to syslog. Depending on your system type the following constants are available:

LOG_EMERG LOG_ALERT LOG_CRIT LOG_WARNING
LOG_NOTICE LOG_INFO LOG_DEBUG LOG_ERR

hphp.log.sapi

  • Type: Integer
  • Default: S_ALL & ~S_SQL

Defines what classes of security alerts are logged through the SAPI error log. For a list of available constants see table 1.

hphp.log.script

  • Type: Integer
  • Default: 0

Defines what classes of security alerts are logged through the external logging script. For a list of available constants see table 1.

hphp.log.script.name

  • Type: String
  • Default:

Defines the full path to a external logging script. The script is called with 2 parameters. The first one is the alert class in string notation and the second parameter is the log message. This can be used for example to mail failing MySQL queries to your email address, because on a production system these things should never happen.

hphp.log.use-x-forwarded-for

  • Type: Boolean
  • Default: off

When the Hardening-Patch logs an error the log message also contains the IP of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI environment variable. With this switch it is possible to change this behavior to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary when your PHP server runs behind a reverse proxy.

General Options

hphp.executor.max_depth

  • Type: Integer
  • Default: 0

Defines the maximum stack depth allowed by the executor before it stops the script. Without this function an endless recursion in a PHP script could crash the PHP executor or trigger the configured memory_limit. A value of ’0’ disables this feature.

hphp.executor.include.whitelist

  • Type: String
  • Default:

Comma separated whitelist of URL schemes that are allowed to be included from include or require statements. Additionally to URL schemes it is possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is specified, then the blacklist is evaluated.

hphp.executor.include.blacklist

  • Type: String
  • Default:

Comma separated blacklist of URL schemes that are not allowed to be included from include or require statements. Additionally to URL schemes it is possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no blacklist and no whitelist is specified all URL schemes are forbidden.

hphp.executor.func.whitelist

  • Type: String
  • Default:

Comma separated whitelist of functions that are allowed to be called. If the whitelist is empty the blacklist is evaluated, otherwise calling a function not in the whitelist will terminate the script and get logged.

hphp.executor.func.blacklist

  • Type: String
  • Default:

Comma separated blacklist of functions that are not allowed to be called. If no whitelist is given, calling a function within the blacklist will terminate the script and get logged.

hphp.executor.eval.whitelist

  • Type: String
  • Default:

Comma separated whitelist of functions that are allowed to be called from within eval(). If the whitelist is empty the blacklist is evaluated, otherwise calling a function not in the whitelist will terminate the script and get logged.

hphp.executor.eval.blacklist

  • Type: String
  • Default:

Comma separated blacklist of functions that are not allowed to be called from within eval(). If no whitelist is given, calling a function within the blacklist will terminate the script and get logged.

hphp.sql.bailout_on_error

  • Type: Boolean
  • Default: Off

When a SQL Query fails scripts often spit out a bunch of useful information for possible attackers. When this configuration directive is turned on, the script will silently terminate, after the problem has been logged.

hphp.multiheader

  • Type: Boolean
  • Default: Off

This directive controls if multiple headers are allowed or not in a header() call. By default the Hardening-Patch forbids this. (HTTP headers spanning multiple lines are still allowed).

hphp.mail.protect

  • Type: Integer
  • Default: 0

This directive controls if the mail() header protection is activated or not and to what degree it is activated. The appended table lists the possible activation levels.

Value Description
0 mail() header protection is disabled
1 Disallows newlines in Subject:, To: headers and double newlines in additional headers
2 Additionally disallows To:, CC:, BCC: in additional headers

Logging of this class of alerts is controlled by the new S_MAIL constant.

Filtering Options

hphp.cookie.max_array_depth

  • Type: Integer
  • Default: 100

Defines the maximum depth an array variable may have, when registered through the COOKIE.

Note: Array depth is not the number of elements within an array.

hphp.cookie.max_array_index_length

  • Type: Integer
  • Default: 64

Defines the maximum length of array indices for variables registered through the COOKIE.

hphp.cookie.max_name_length

  • Type: Integer
  • Default: 64

Defines the maximum length of variable names for variables registered through the COOKIE. For array variables this is the name in front of the indices.

hphp.cookie.max_totalname_length

  • Type: Integer
  • Default: 256

Defines the maximum length of the total variable name when registered through the COOKIE. For array variables this includes all indices.

hphp.cookie.max_value_length

  • Type: Integer
  • Default: 10000

Defines the maximum length of a variable that is registered through the COOKIE.

hphp.cookie.max_vars

  • Type: Integer
  • Default: 100

Defines the maximum number of variables that may be registered through the COOKIE.

hphp.get.max_array_depth

  • Type: Integer
  • Default: 50

Defines the maximum depth an array variable may have, when registered through the URL.

Note: Array depth is not the number of elements within an array.

hphp.get.max_array_index_length

  • Type: Integer
  • Default: 64

Defines the maximum length of array indices for variables registered through the URL.

hphp.get.max_name_length

  • Type: Integer
  • Default: 64

Defines the maximum length of variable names for variables registered through the URL. For array variables this is the name in front of the indices.

hphp.get.max_totalname_length

  • Type: Integer
  • Default: 256

Defines the maximum length of the total variable name when registered through the URL. For array variables this includes all indices.

hphp.get.max_value_length

  • Type: Integer
  • Default: 512

Defines the maximum length of a variable that is registered through the URL.

hphp.get.max_vars

  • Type: Integer
  • Default: 100

Defines the maximum number of variables that may be registered through the URL.

hphp.post.max_array_depth

  • Type: Integer
  • Default: 100

Defines the maximum depth an array variable may have, when registered through a POST request.

Note: Array depth is not the number of elements within an array.

hphp.post.max_array_index_length

  • Type: Integer
  • Default: 64

Defines the maximum length of array indices for variables registered through a POST request.

hphp.post.max_name_length

  • Type: Integer
  • Default: 64

Defines the maximum length of variable names for variables registered through a POST request. For array variables this is the name in front of the indices.

hphp.post.max_totalname_length

  • Type: Integer
  • Default: 256

Defines the maximum length of the total variable name when registered through a POST request. For array variables this includes all indices.

hphp.post.max_value_length

  • Type: Integer
  • Default: 65000

Defines the maximum length of a variable that is registered through a POST request.

hphp.post.max_vars

  • Type: Integer
  • Default: 200

Defines the maximum number of variables that may be registered through a POST request.

hphp.request.max_array_depth

  • Type: Integer
  • Default: 100

Defines the maximum depth an array variable may have, when registered through GET , POST or COOKIE. This setting is also an upper limit for the separate GET, POST, COOKIE configuration directives.

Note: Array depth is not the number of elements within an array.

hphp.request.max_array_index_length

  • Type: Integer
  • Default: 64

Defines the maximum length of array indices for variables registered through GET, POST or COOKIE. This setting is also an upper limit for the separate GET, POST, COOKIE configuration directives.

hphp.request.max_totalname_length

  • Type: Integer
  • Default: 256

Defines the maximum length of variable names for variables registered through the COOKIE, the URL or through a POST request. This is the complete name string, including all indicies. This setting is also an upper limit for the separate GET, POST, COOKIE configuration directives.

hphp.request.max_value_length

  • Type: Integer
  • Default: 65000

Defines the maximum length of a variable that is registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

hphp.request.max_vars

  • Type: Integer
  • Default: 200

Defines the maximum number of variables that may be registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

hphp.request.max_varname_length

  • Type: Integer
  • Default: 64

Defines the maximum name length (excluding possible array indicies) of variables that may be registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

hphp.upload.max_uploads

  • Type: Integer
  • Default: 25

Defines the maximum number of files that may be uploaded with one request.

hphp.upload.disallow_elf_files

  • Type: Boolean
  • Default: On

When set to On it is not possible to upload ELF executables.

hphp.upload.verification_script

  • Type: String
  • Default:

This defines the full path to a verification script for uploaded files. The script gets the temporary filename supplied and has to decide if the upload is allowed. A possible application for this is to scan uploaded files for viruses. The called script has to write a 1 as first line to standard output to allow the upload. Any other value or no output at all will result in the file being deleted.

Deprecated Options

varfilter.max_array_depth

  • Type: Integer
  • Default: 100

Deprecated: use hphp.request.max_array_depth instead

varfilter.max_array_index_length

  • Type: Integer
  • Default: 64

Deprecated: use hphp.request.max_array_index_length instead

varfilter.max_request_variables

  • Type: Integer
  • Default: 200

Deprecated: use hphp.request.max_vars instead

varfilter.max_totalname_length

  • Type: Integer
  • Default: 256

Deprecated: use hphp.request.max_totalname_length instead

varfilter.max_value_length

  • Type: Integer
  • Default: 65000

Deprecated: use hphp.request.max_value_length instead

varfilter.max_varname_length

  • Type: Integer
  • Default: 64

Deprecated: use hphp.request.max_varname_length instead


© Hardened PHP Project