So apparently the streams API is deep magic that malware will never use? If you're going to pass around "cargo cult crap" (thanks McGlockenshire), at least make sure you're locking down _every_ equivalent of "dangerous function" that only malware and "badly written software" supposedly would use. To add a few to the holes others have listed, you should disable proc_open, popen, pcntl_exec. How about dl(), to close a (rare) vector for loading native code?
While we're doing drop-in magic stuff to mitigate problems, don't forget to put libxml_disable_entity_loader(true);
at the beginning of every script.[0]
Why not disable file_put_contents? I always thought that was kind of a shoddy practice, and likely to appear in malware, too!
Why not set allow_url_include = off ? Surely this is in "badly written software" territory that is exploited by malware?
Obviously this isn't exhaustive, either. My point is that you can't wave a few boilerplate configurations over any PHP application to make it secure. That may be a sizable flaw in the platform, but if so, say that rather than trying to give people copy-paste "protection."
Which is why I suggested Suhoshin above: https://news.ycombinator.com/item?id=8056907 And on a number of replies advocated for certain precautions in addition to the much maligned disable_functions list.
I'm not going to visit this thread any longer as it's getting to be an exhausting exercise of having to wade through snark and general malaise. I'm reminded, once again, why I waited so long before making a single post on this forum.
You might want to look into lightening up a little. You gave objectively bad advice, backed by objectively bad reasoning, and were educated about your mistakes for free. There was a bit of snark, but not a single drop of general malaise, and most of what was said to you was very helpful considering your professed aims.
You found yourself in "Wovon man nicht sprechen kann, darüber muß man schweigen" territory on this topic, but don't be disheartened. Proper security is notably difficult.
Which specifically of my points will be addressed by adding Suhosin?
You gave some good advice. Assuming your software still works without cURL and with Suhosin, yes, you are probably going to avoid some attacks by using your disable_functions list and Suhosin. Still, I think what I and several others take issue with, is giving an example php.ini that was so incomplete and inconsistent with its reasoning.
While we're doing drop-in magic stuff to mitigate problems, don't forget to put libxml_disable_entity_loader(true); at the beginning of every script.[0]
Why not disable file_put_contents? I always thought that was kind of a shoddy practice, and likely to appear in malware, too!
Why not set allow_url_include = off ? Surely this is in "badly written software" territory that is exploited by malware?
Obviously this isn't exhaustive, either. My point is that you can't wave a few boilerplate configurations over any PHP application to make it secure. That may be a sizable flaw in the platform, but if so, say that rather than trying to give people copy-paste "protection."
[0] https://www.idontplaydarts.com/2011/02/scanning-the-internal...