Hi Dne Sun, 3 Oct 2010 00:32:52 +0200 Jörg Sommer <jo...@alea.gnuu.de> napsal(a):
> would you add these options to the default settings of Apache's config > for phpmyadmin? I'm running phpmyadmin with these options set and don't > have any problems. Phpmyadmin uses not the PHP features url fopen or one > of the functions to run a shell function or opening a socket to the > outside. To make the live for bad boys harder they misuse functions of > phpmyadmin, I think these features should be disabled. Also the > restriction of open_basedir would be helpful. > > diff --git a/phpmyadmin/apache.conf b/phpmyadmin/apache.conf > index 8c51ef4..16d5d49 100644 > --- a/phpmyadmin/apache.conf > +++ b/phpmyadmin/apache.conf > @@ -32,6 +32,11 @@ Alias /phpmyadmin /usr/share/phpmyadmin > php_value display_errors Off > php_flag log_errors On > php_flag html_errors Off > + php_admin_flag allow_url_fopen Off This makes sense. > + php_admin_flag safe_mode On Safe mode is deprecated as of PHP 5.3.0, so it does not make sense to enable it now. > + php_admin_value upload_tmp_dir /tmp > + php_admin_value open_basedir > /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/tmp/ I don't like overriding upload_tmp_dir from PHP configuration is a good idea and without that I don't think it is possible to set open_basedir. > + php_admin_value disable_functions > exec,passthru,popen,proc_open,shell_exec,system,socket_create,fsockopen,pfsockopen According to documentation "This directive must be set in php.ini For example, you cannot set this in httpd.conf." -- Michal Čihař | http://cihar.com | http://blog.cihar.com
signature.asc
Description: PGP signature