Configuration

Configuration

Hardening-Patch‘s features are all configured through the php.ini configuration file. Here you can find descriptions of all supported options.

For most users the Hardening-Patch will work out of the box without any change to the default configuration needed.

Defines what classes of security alerts are logged to the syslog daemon. Logging of errors of the class S_MEMORY are always logged to syslog, no matter what this configuration says, because a corrupted heap could mean that the other logging options will malfunction during the logging process.

Constant	Description
S_MEMORY	All canary violations and the safe unlink protection use this class
S_VARS	All variable filters trigger this class
S_FILES	All violations triggered by the uploaded files filter use this class
S_INCLUDE	The protection against malicious include filenames use this class
S_SQL	Failed SQL queris are logged with this class
S_EXECUTOR	The execution depth protection uses this logging class
S_MAIL	The mail() header newline protection uses this logging class
S_MISC	All other log messages (f.e. format string protection) use this class
S_ALL	Combines all classes

hphp.log.syslog.facility

Type: Integer
Default: LOG_USER

Defines the syslog facility that is used when ALERTs are logged to syslog. Depending on your system type the following constants are available:

LOG_KERN	LOG_USER	LOG_MAIL	LOG_DAEMON
LOG_AUTH	LOG_SYSLOG	LOG_LPR	LOG_NEWS
LOG_UUCP	LOG_CRON	LOG_AUTHPRIV	LOG_LOCAL0
LOG_LOCAL1	LOG_LOCAL2	LOG_LOCAL3	LOG_LOCAL4
LOG_LOCAL5	LOG_LOCAL6	LOG_LOCAL7	LOG_PID
LOG_CONS	LOG_ODELAY	LOG_NDELAY	LOG_NOWAIT
LOG_PERROR

hphp.log.syslog.priority

Type: Integer
Default: LOG_ALERT

Defines the syslog priority that is used when ALERTs are logged to syslog. Depending on your system type the following constants are available:

LOG_EMERG	LOG_ALERT	LOG_CRIT	LOG_WARNING
LOG_NOTICE	LOG_INFO	LOG_DEBUG	LOG_ERR

hphp.log.sapi

Type: Integer
Default: S_ALL & ~S_SQL

Defines what classes of security alerts are logged through the SAPI error log. For a list of available constants see table 1.

hphp.log.script

Type: Integer
Default: 0

Defines what classes of security alerts are logged through the external logging script. For a list of available constants see table 1.

hphp.log.script.name

Type: String
Default:

Defines the full path to a external logging script. The script is called with 2 parameters. The first one is the alert class in string notation and the second parameter is the log message. This can be used for example to mail failing MySQL queries to your email address, because on a production system these things should never happen.

hphp.log.use-x-forwarded-for

Type: Boolean
Default: off

When the Hardening-Patch logs an error the log message also contains the IP of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI environment variable. With this switch it is possible to change this behavior to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary when your PHP server runs behind a reverse proxy.

General Options

hphp.executor.max_depth

Type: Integer
Default: 0

Defines the maximum stack depth allowed by the executor before it stops the script. Without this function an endless recursion in a PHP script could crash the PHP executor or trigger the configured memory_limit. A value of ’0’ disables this feature.

hphp.executor.include.whitelist

Type: String
Default:

Comma separated whitelist of URL schemes that are allowed to be included from include or require statements. Additionally to URL schemes it is possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is specified, then the blacklist is evaluated.

hphp.executor.include.blacklist

Type: String
Default:

Comma separated blacklist of URL schemes that are not allowed to be included from include or require statements. Additionally to URL schemes it is possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no blacklist and no whitelist is specified all URL schemes are forbidden.

hphp.executor.func.whitelist

Type: String
Default:

Comma separated whitelist of functions that are allowed to be called. If the whitelist is empty the blacklist is evaluated, otherwise calling a function not in the whitelist will terminate the script and get logged.

hphp.executor.func.blacklist

Type: String
Default:

Comma separated blacklist of functions that are not allowed to be called. If no whitelist is given, calling a function within the blacklist will terminate the script and get logged.

hphp.executor.eval.whitelist

Type: String
Default:

Comma separated whitelist of functions that are allowed to be called from within eval(). If the whitelist is empty the blacklist is evaluated, otherwise calling a function not in the whitelist will terminate the script and get logged.

hphp.executor.eval.blacklist

Type: String
Default:

Comma separated blacklist of functions that are not allowed to be called from within eval(). If no whitelist is given, calling a function within the blacklist will terminate the script and get logged.

hphp.sql.bailout_on_error

Type: Boolean
Default: Off

When a SQL Query fails scripts often spit out a bunch of useful information for possible attackers. When this configuration directive is turned on, the script will silently terminate, after the problem has been logged.

hphp.multiheader

Type: Boolean
Default: Off

This directive controls if multiple headers are allowed or not in a header() call. By default the Hardening-Patch forbids this. (HTTP headers spanning multiple lines are still allowed).

hphp.mail.protect

Type: Integer
Default: 0

This directive controls if the mail() header protection is activated or not and to what degree it is activated. The appended table lists the possible activation levels.

Value	Description
0	mail() header protection is disabled
1	Disallows newlines in `Subject:`, `To:` headers and double newlines in additional headers
2	Additionally disallows `To:`, `CC:`, `BCC:` in additional headers

Logging of this class of alerts is controlled by the new S_MAIL constant.

Filtering Options

hphp.cookie.max_array_depth

Type: Integer
Default: 100

Defines the maximum depth an array variable may have, when registered through the COOKIE.

Note: Array depth is not the number of elements within an array.

hphp.cookie.max_array_index_length

Type: Integer
Default: 64

Defines the maximum length of array indices for variables registered through the COOKIE.

hphp.cookie.max_name_length

Type: Integer
Default: 64

Defines the maximum length of variable names for variables registered through the COOKIE. For array variables this is the name in front of the indices.

hphp.cookie.max_totalname_length

Type: Integer
Default: 256

Defines the maximum length of the total variable name when registered through the COOKIE. For array variables this includes all indices.

hphp.cookie.max_value_length

Type: Integer
Default: 10000

Defines the maximum length of a variable that is registered through the COOKIE.

hphp.cookie.max_vars

Type: Integer
Default: 100

Defines the maximum number of variables that may be registered through the COOKIE.

hphp.get.max_array_depth

Type: Integer
Default: 50

Defines the maximum depth an array variable may have, when registered through the URL.

Note: Array depth is not the number of elements within an array.

hphp.get.max_array_index_length

Type: Integer
Default: 64

Defines the maximum length of array indices for variables registered through the URL.

hphp.get.max_name_length

Type: Integer
Default: 64

Defines the maximum length of variable names for variables registered through the URL. For array variables this is the name in front of the indices.

hphp.get.max_totalname_length

Type: Integer
Default: 256

Defines the maximum length of the total variable name when registered through the URL. For array variables this includes all indices.

hphp.get.max_value_length

Type: Integer
Default: 512

Defines the maximum length of a variable that is registered through the URL.

hphp.get.max_vars

Type: Integer
Default: 100

Defines the maximum number of variables that may be registered through the URL.

hphp.post.max_array_depth

Type: Integer
Default: 100

Defines the maximum depth an array variable may have, when registered through a POST request.

Note: Array depth is not the number of elements within an array.

hphp.post.max_array_index_length

Type: Integer
Default: 64

Defines the maximum length of array indices for variables registered through a POST request.

hphp.post.max_name_length

Type: Integer
Default: 64

Defines the maximum length of variable names for variables registered through a POST request. For array variables this is the name in front of the indices.

hphp.post.max_totalname_length

Type: Integer
Default: 256

Defines the maximum length of the total variable name when registered through a POST request. For array variables this includes all indices.

hphp.post.max_value_length

Type: Integer
Default: 65000

Defines the maximum length of a variable that is registered through a POST request.

hphp.post.max_vars

Type: Integer
Default: 200

Defines the maximum number of variables that may be registered through a POST request.

hphp.request.max_array_depth

Type: Integer
Default: 100

Defines the maximum depth an array variable may have, when registered through GET , POST or COOKIE. This setting is also an upper limit for the separate GET, POST, COOKIE configuration directives.

Note: Array depth is not the number of elements within an array.

hphp.request.max_array_index_length

Type: Integer
Default: 64

Defines the maximum length of array indices for variables registered through GET, POST or COOKIE. This setting is also an upper limit for the separate GET, POST, COOKIE configuration directives.

hphp.request.max_totalname_length

Type: Integer
Default: 256

Defines the maximum length of variable names for variables registered through the COOKIE, the URL or through a POST request. This is the complete name string, including all indicies. This setting is also an upper limit for the separate GET, POST, COOKIE configuration directives.

hphp.request.max_value_length

Type: Integer
Default: 65000

Defines the maximum length of a variable that is registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

hphp.request.max_vars

Type: Integer
Default: 200

Defines the maximum number of variables that may be registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

hphp.request.max_varname_length

Type: Integer
Default: 64

Defines the maximum name length (excluding possible array indicies) of variables that may be registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

hphp.upload.max_uploads

Type: Integer
Default: 25

Defines the maximum number of files that may be uploaded with one request.

hphp.upload.disallow_elf_files

Type: Boolean
Default: On

When set to On it is not possible to upload ELF executables.

hphp.upload.verification_script

Type: String
Default:

This defines the full path to a verification script for uploaded files. The script gets the temporary filename supplied and has to decide if the upload is allowed. A possible application for this is to scan uploaded files for viruses. The called script has to write a 1 as first line to standard output to allow the upload. Any other value or no output at all will result in the file being deleted.