Changes between Version 38 and Version 39 of DebianLamp


Ignore:
Timestamp:
Oct 27, 2009, 5:04:16 PM (11 years ago)
Author:
Vincent Caron
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • DebianLamp

    v38 v39  
    216216 * '''register_globals''': this must be '''off'''. Application which rely on this setting to be on are very old or totally insecure, most of them both.
    217217 * '''post_max_size''', '''upload_max_filesize''': are better kept in sync (effective upload limit is the minimum of these two values), any value will do. It's okay to have 100M here.
    218  * '''upload_tmp_dir''': should be in the partition where data will end, sane default is often {{{/var/tmp}}} (and NOT {{{/tmp}}})
     218 * '''upload_tmp_dir''': should be in the partition where data will end, sane default is often {{{/var/tmp}}} (instead of {{{/tmp}}})
    219219 * '''allow_url_fopen''' should be '''off''' (if turned on, a simple directory traversal attack turns into a remote exploit). This can be mitigated by being activated and setting {{{allow_url_include = off}}}, nonetheless CURL is a far better match if the application needs to be a FTP/HTTP client (safer, proper error handling, good documentation).
    220220 * '''session.gc_maxlifetime''': the default session expiration, often left as is by many applications. You'll want to have something like 30 days (2592000 seconds) if you know your application is quite sane with session handling (eg. file-based session storage with +1000 new sessions/day is quite a limit). With Debian, you especially need to know what {{{/etc/cron.d/php5}}} is for.
     
    223223
    224224 * If your application prefers '''mysqli''' over '''mysql''', go for it. Your best hope is that it will use parameter bindings (safer) and prepared statements (faster).
    225  * If your application only transforms image or modify them in a trival way (say adding some watermark), don't use '''gd''', use '''!ImageMagick''' as an external program (NOT the module). '''gd''' is bad at image transformation, and it is not safe nor efficient to have the image data in PHP memory space.
     225 * If your application only transforms image or modify them in a trival way (say adding some watermark), don't use '''gd''', use '''!ImageMagick''' as an external program (NOT the module). '''gd''' is bad at image transformation (poor algorithms, memory hungry/no streaming process), and it is not safe nor efficient to have the image data in PHP memory space.
    226226
    227227=== Module or FastCGI ? ===