Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:14925 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 43091 invoked by uid 1010); 14 Feb 2005 17:43:14 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 43074 invoked from network); 14 Feb 2005 17:43:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Feb 2005 17:43:14 -0000 X-Host-Fingerprint: 217.69.76.213 hermes.e-matters.de Linux 2.4/2.6 Received: from ([217.69.76.213:34299] helo=e-matters.de) by pb1.pair.com (ecelerity 1.2.11 (r4403)) with SMTP id DB/10-18098-133E0124 for ; Mon, 14 Feb 2005 12:43:13 -0500 Received: (qmail 32289 invoked by uid 0); 14 Feb 2005 17:38:43 -0000 Received: from p5087731d.dip.t-dialin.net (HELO ?192.168.1.77?) (80.135.115.29) by /var/run/qmail-smtp.pid with SMTP; 14 Feb 2005 17:38:43 -0000 Message-ID: <4210E32A.8000201@php.net> Date: Mon, 14 Feb 2005 18:43:06 +0100 User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Hardened-PHP and variable filtering extensions... From: sesser@php.net (Stefan Esser) Hello, recently there was a discussion on this list about variable filtering within PHP. Because of this discussion I have put a preview of Hardened-PHP 0.3.0 online at hardened-php.net. (This preview does not contain all new features but the variable filtering relevant ones. It adds the following new ini directives: Filtering Directives -------------------- # Global Policy for Request Variables # allow - all not explicitly forbidden contents are allowed # deny - all not explicitly allowed contents are forbidden hphp.request.policy = deny | allow # Global Filter for Request Variables hphp.request.filter = deny|allow /regexpattern/i # Variable Specific Filter hphp.request.varfilter = varname deny|allow /regexpattern/i (The same directives exist variable type specific: hphp.cookie.policy, hphp.post.policy, hphp.get.policy, ...) Limiting Directives ------------------- hphp.XXX.max_vars hphp.XXX.max_name_length hphp.XXX.max_totalname_length hphp.XXX.max_value_length hphp.XXX.max_array_depth hphp.XXX.max_array_index_length where XXX is request/get/post/cookie Fileupload Directives --------------------- hphp.upload.max_uploads - maximum number of file uploads per request hphp.upload.disallow_elf_files - disallow uploaded ELF files hphp.upload.verification_script - call this script to verify uploaded files Additionally the log system was improved Logging Directives ------------------ hphp.log.syslog = loglevels that should be logged through syslog (S_MEMORY is always logged through syslog) hphp.log.syslog.facility = syslog facility hphp.log.syslog.priority = syslog priority hphp.log.sapi = loglevels that should be logged through sapi error log (f.e. apache error log) hphp.log.script = loglevels thath should be logged through the logscript hphp.log.script.name = script for logging (1st param f.e. S_MISC 2nd param: message) loglevel meaning ----------------- S_MEMORY Log memory errors, like carnary violations S_VARS Log dropped variables S_INCLUDE Log malicious includes S_FILES Log malicious fileuploads S_SQL Log failed MySQL queries (f.e. someone trying to SQL inject) S_MISC Log other attacks (f.e. format string attacks) PS.1: You see that all filtering directives do drop the variables and do NOT try to remove malicious content. Repairing malicious input is considered bad practise. PS.2: Anyone interested in suggesting a new name for Hardened-PHP? Obviously the PHP Group does consider Hardened-PHP as violator of the PHP license and demands/wants a name change. PS.3: Yes some of these feature are similiar in mod_security (with the exception that in Hardened-PHP they actually work) Stefan Esser