PHP code audit 1 - php Ini

One 、 Preface

Php Many options are not safe by default , It leaves a lot of opportunities for attackers to take advantage of .

Php.ini The middle semicolon begins with a comment line , Most configurations are “ Instruction name = value ” In the form of , What needs to be noted here is php.ini Case sensitive to instruction names ,a=aaa and A=aaa It's different . and php.ini The value in can be a string 、 Numbers 、php Constant 、ini Constant 、 Expression etc. . The configuration file is divided into many parts , For example, module part 、php Global configuration 、 Database configuration, etc .

Some of the following parameters are set in php Has been removed from the higher version , The lower version exists , Some servers use php The version is still the old version and has not been upgraded , If it is not necessary , Suggest to upgrade PHP The version of the to PHP 7.0 above .

Two 、PHP Safety parameter configuration

• Parameters 1：register_globals

   It will affect php How to accept passed parameters , Its function is to register as a global variable , After opening , The passed parameters will be registered as global variables and used directly . This parameter suggests closing , It is now basically off by default , And this option is no longer available in the new version , The existence of a lower version will enable .
  

• Parameters 2：magic_quotes_gpc

   When this parameter is turned on ,$_POST、$_GET、$_COOKIE Received single quotation marks 、 Double quotes 、 The backslash 、 Empty characters will be added \ The symbols are escaped , Can improve security , Recommended Opening . This option is not available in the higher version .
  

• Parameters 3：display_errors

 This parameter is used to locate the error , Error messages can reveal programs 、 The server 、 Sensitive information such as databases , Information gathering for interested attackers , Proposed closure .（ The test environment can be started , Convenient debugging ）

• Parameters 4：safe_mode

   safe mode , After opening, it can control php Some functions in , for example system, At the same time, it controls the permissions of many file operation functions , And operation on key documents is not allowed , for example /etc/passwd. This mode is off by default , Need to set up safe_mode=on Turn on . This pattern has also been removed in later versions .
   This option is enabled , For some PHP Function to limit ,
   For example, system file operation functions ：ckdir,copy,fopen,inclode,require,link,mkdir,touck......
   For example, functions related to executing system commands will also be disabled ：system,exxec,shell_exec,pasathru,popen.....
  

• Parameters 5：open_basedir

   It can control php What directories can I access , avoid php Script accesses files that should not be accessed , To some extent, it can reduce webshell Hazards of , Generally, you can only access the website directory , for example open_basedir=/var/www/html.
   Before configuration , We getshell after , Access other path files , such as /etc/ The files in the directory can be accessed .
   But when configured , You can only see the restricted directories ：
  

  

• Parameters 6： disable_functions

   This configuration will limit some functions that do great harm to the system , for example phpinfo、system、exec etc. , Note that these functions are not restricted by default , Specific restrictions on what needs to be manually configured . It is recommended to limit the following functions ：
  disable_functions=phpinfo、passthru、exec、system、chroot、scandir、chgrp、chown、shell_exec、proc_Open、proc_get_status、ini_alter、ini_restore、dl、pfsockopen、openlog、syslog、readlink、symlink、popepassthru、stream_socket_server.
  

• Parameters 7： com.allow_dcom

   When com.allow_dcom Configure to true when ,php Allow to use com Function to create system components to run system commands , It is recommended that it be set to false.
  

• Parameters 8： expose_php

   This parameter determines whether or not to HTTP Burst in response header php Version of , The default is on, Recommended setting is off.
  
  

• Parameters 9： allow_url_fopen

   Allow opening remote files , Default  on
  

• Parameters 10： allow_url_include

   In the use of include, include_once, require, require_once For remote file inclusion , Need to open allow_url_fopen  Allow by default .
  

3、 ... and 、PHP Other general parameter configurations

1、 File upload related

• Parameters 1：file_uploads

   Default  ‘1’ , allow http Upload files 
  

• Parameters 2：upload_tmp_dir

   Default NULL, Temporary directory used to store files when uploading files .php The running user can write , If it is not set, the system default value will be used . If it's on openbase_dir
  

• Parameters 3：uload_max_filesize

   Upload file size limit , When the value is an integer , The unit is the number of bytes , Support  K,M,G logogram , Default 2M
  

• Parameters 4：max_file_uploads

   The maximum number of files allowed to be uploaded at the same time , Default 20
  

2、 Data processing related

• Parameters 1：enable_post_data_reading

   The default value is 1, Disabling this option will result in no padding  $_POST  and  $_FILES. Read  postdata  The only way to do this is to use  php://input stream wrapper. This is important for proxy requests or for processing in a memory efficient manner  POST  The data is very useful 
  

• Parameters 2： post_max_size

   Default 8M, Set up post Maximum value of transmitted data , This parameter will affect file uploading ,upload_max_size Should be less than this parameter 
  

• Parameters 3：default_mimitype

   Default “text/html”	,
  

• Parameters 4：default_charset

   Set site code . Default UTF-8, This value affects the encoding parameters of multiple functions ,htmlentities(), html_entity_decode() ,htmlspecialchars(),iconv , mbstring etc. 
  
  

3、 Log correlation

• Parameters 1： error_reporting

   The default is empty. , Set error level , It is suggested to set up the production environment  E_ALL & ~E_DEPRECATED & ~E_STRICT, The development environment is set to E_ALL
  

• Parameters 2： display_errors

   Whether to output error information to the display screen , It is recommended to shut down the production environment . If set to stderr  Then output to stderr instead of strout, The default is 1, Allow output 
  

• Parameters 3： log_errors

   The default is 0, Set whether to record the error information of script running to the server error log or error_log In .
  

• Parameters 4：error_log

   The default is empty. , Set the file to which script errors will be logged . The file must be web Server users can write . If special value  syslog  Set up , Then send the error message to the system logger .
  

• Parameters 5：log_error_max_length

   Set up  log_errors  The maximum number of bytes .  stay  error_log  Information about the source of the error will be added . The default value is 1024, If set to 0 Indicates unlimited length . This length sets the error of the record , Displayed errors , as well as  $php_errormsg Will have a limiting effect .
  

• Parameters 6： ignore_repeated_errors

   Do not record duplicate information . Duplicate errors must appear on the same line of code in the same file , Unless  ignore_repeated_source  Set to true.
  

4、 Other important parameters

• Parameters 1：max_execution_time

 Default 30,max_execution_time It only affects the execution time of the script itself . Anything that happens in such a way as using system() System call , Flow operation , The maximum execution time of scripts such as database operations is not included 

• Parameters 2：memory_limit

 Set the maximum memory allowed to be allocated by the script . Support integer , logogram , Unlimited memory is set to  “-1”, Default 128M

• Parameters 3： disable_classes

  Disable some classes ; Separate class names with commas ; Only in php.ini Set in 

Four 、 Reference material

• https://blog.csdn.net/fageweiketang/article/details/103483146
• https://blog.csdn.net/Jacksun_huang/article/details/88572828
• https://www.jb51.net/article/199367.htm
• https://blog.csdn.net/weixin_43197795/article/details/108127264