From d754180768ceb88d6503eb611b91f8153d84da04 Mon Sep 17 00:00:00 2001 From: Alex Dupre Date: Mon, 16 Oct 2006 09:30:58 +0000 Subject: - fix open_basedir vulnerability in php4 and php5 [1] - add an alert on safe_mode intrinsic insecurity and suggest to install the suhosin extension - enable the suhosin patch by deafult also in php4 Submitted by: Thomas Vogt [1] Obtained from: PHP CVS [1] Approved by: portmgr (clement) --- lang/php4/files/patch-php.ini-recommended | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 lang/php4/files/patch-php.ini-recommended (limited to 'lang/php4/files/patch-php.ini-recommended') diff --git a/lang/php4/files/patch-php.ini-recommended b/lang/php4/files/patch-php.ini-recommended new file mode 100644 index 000000000000..a2baecd55e4f --- /dev/null +++ b/lang/php4/files/patch-php.ini-recommended @@ -0,0 +1,18 @@ +--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-recommended Mon Oct 16 08:13:05 2006 +@@ -169,6 +169,15 @@ + ; + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we recommend to always install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when -- cgit v1.2.3