[UPDATE] www/php5

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[UPDATE] www/php5

???????? ??????
Hi,

Here is a diff for PHP 5.3.1 with suhosin patch.

Removed extensions:
  - ncurses
  - mhash
  - pspell
  - dbase

New extensions:
  - phar
  - fileinfo
  - enchant
  - sqlite3

Extensions mysql, mysqli and pdo_mysql now use mysqlnd.

PHP release announcement: http://php.net/releases/5_3_0.php
PHP release changelog: http://www.php.net/ChangeLog-5.php#5.3.1

Tested on current OpenBSD amd64 and i386.

Ok? Any comments?

php5.patch (190K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [UPDATE] www/php5

Robert Nagy
Hi

This is a no go.

Please provide a separate port for php 5.3.

On (2009-12-02 01:48), Max Varencov wrote:

> Hi,
>
> Here is a diff for PHP 5.3.1 with suhosin patch.
>
> Removed extensions:
>  - ncurses
>  - mhash
>  - pspell
>  - dbase
>
> New extensions:
>  - phar
>  - fileinfo
>  - enchant
>  - sqlite3
>
> Extensions mysql, mysqli and pdo_mysql now use mysqlnd.
>
> PHP release announcement: http://php.net/releases/5_3_0.php
> PHP release changelog: http://www.php.net/ChangeLog-5.php#5.3.1
>
> Tested on current OpenBSD amd64 and i386.
>
> Ok? Any comments?

> Index: Makefile.inc
> ===================================================================
> RCS file: /cvs/ports/www/php5/Makefile.inc,v
> retrieving revision 1.29
> diff -N -u -r1.29 Makefile.inc
> --- Makefile.inc 21 Sep 2009 20:04:24 -0000 1.29
> +++ Makefile.inc 1 Dec 2009 22:42:30 -0000
> @@ -4,9 +4,9 @@
>  # and has Apache that supports DSO's.
>  NOT_FOR_ARCHS= ${NO_SHARED_ARCHS}
>  
> -V= 5.2.11
> +V= 5.3.1
>  SUHOSIN_V= 0.9.29
> -SUHOSIN_P_V= 0.9.7
> +SUHOSIN_P_V= 0.9.8
>  
>  DISTNAME?= php-${V}
>  CATEGORIES= www lang
> @@ -18,8 +18,7 @@
>   http://se.php.net/distributions/ \
>   http://no.php.net/distributions/ \
>   http://uk.php.net/distributions/
> -MASTER_SITES0= http://blade2k.humppa.hu/ \
> - http://download.suhosin.org/
> +MASTER_SITES0= http://download.suhosin.org/
>  
>  # UPGRADERS: please read BOTH the PHP and Zend licenses
>  # and make sure they are safe before an upgrade
> @@ -59,7 +58,7 @@
>   --with-pic
>  
>  # default included extensions
> -CONFIGURE_ARGS+= --with-openssl \
> +CONFIGURE_ARGS+= --with-openssl \
>   --with-zlib
>  
>  REGRESS_TARGET= test
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/www/php5/distinfo,v
> retrieving revision 1.24
> diff -N -u -r1.24 distinfo
> --- distinfo 21 Sep 2009 20:04:24 -0000 1.24
> +++ distinfo 1 Dec 2009 22:42:30 -0000
> @@ -1,15 +1,15 @@
> -MD5 (php-5.2.11.tar.gz) = AiPXHw1ph8BsVLdVf/R/HQ==
> +MD5 (php-5.3.1.tar.gz) = QfuzaNhqyxP8NRllfSd2gQ==
>  MD5 (suhosin-0.9.29.tgz) = 48WZ5+NE6YH5NbLauQWSwQ==
> -MD5 (suhosin-patch-5.2.11-0.9.7.patch.gz) = j53k2X+ubroWPPNplQmiYA==
> -RMD160 (php-5.2.11.tar.gz) = Yxiaev6Xnk64S0z33Kn3PKdICxo=
> +MD5 (suhosin-patch-5.3.1-0.9.8.patch.gz) = v3X+OpvajHoEHYYZfW2gmg==
> +RMD160 (php-5.3.1.tar.gz) = 52x7dFK3TOGYz3aNYYbuGL5yvyk=
>  RMD160 (suhosin-0.9.29.tgz) = P7Hyka93d4WMoAkeXqbaQA9QabU=
> -RMD160 (suhosin-patch-5.2.11-0.9.7.patch.gz) = D21EKqzjTCIfn7/0KmPn87RInxU=
> -SHA1 (php-5.2.11.tar.gz) = Xl+ACzsiuR6gln5/bLjN7AzLqkc=
> +RMD160 (suhosin-patch-5.3.1-0.9.8.patch.gz) = 0BMz1VqCiFBgYAU74xwAok3RSDY=
> +SHA1 (php-5.3.1.tar.gz) = 6yH7rLuTme1t3CbYJwJeHDztPYw=
>  SHA1 (suhosin-0.9.29.tgz) = L6fHFqMucfu1d/w6n+r0bXg6UBs=
> -SHA1 (suhosin-patch-5.2.11-0.9.7.patch.gz) = JIQZMyEx78U/MwbCpXpLGp3JLME=
> -SHA256 (php-5.2.11.tar.gz) = BhK1MtNJoqty4k+MUpKhkFaAwiimiUjp88EM+iloEIM=
> +SHA1 (suhosin-patch-5.3.1-0.9.8.patch.gz) = Bd7NMio0wsBxvV9jNFfkKAq6PQ0=
> +SHA256 (php-5.3.1.tar.gz) = hbHrGRrDKAUs6IFZ1/eR83DeDs2hVZUMs/TKQRLzWxA=
>  SHA256 (suhosin-0.9.29.tgz) = OsOn0updwnGJ+tt5RdoMrxj+IshzaUBLwy18+ArpU3k=
> -SHA256 (suhosin-patch-5.2.11-0.9.7.patch.gz) = OS8QybfZxH8w6Yn7d3XMRtNhU7kzv3rJzNiCaylUWEs=
> -SIZE (php-5.2.11.tar.gz) = 11692714
> +SHA256 (suhosin-patch-5.3.1-0.9.8.patch.gz) = xfkTDpruw/atl0Aar894zIxXvTZ3VevcsUsBE7RGyug=
> +SIZE (php-5.3.1.tar.gz) = 13612553
>  SIZE (suhosin-0.9.29.tgz) = 116137
> -SIZE (suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050
> +SIZE (suhosin-patch-5.3.1-0.9.8.patch.gz) = 38180
> Index: core/Makefile
> ===================================================================
> RCS file: /cvs/ports/www/php5/core/Makefile,v
> retrieving revision 1.52
> diff -N -u -r1.52 core/Makefile
> --- core/Makefile 1 Oct 2009 12:22:32 -0000 1.52
> +++ core/Makefile 1 Dec 2009 22:42:30 -0000
> @@ -4,7 +4,7 @@
>  COMMENT-fastcgi=stand-alone FastCGI version of PHP
>  
>  PKGNAME= php5-core-${V}
> -PKGNAME-main= php5-core-${V}p0
> +PKGNAME-main= php5-core-${V}
>  PKGNAME-fastcgi=php5-fastcgi-${V}
>  
>  DISTFILES= php-${V}.tar.gz
> @@ -32,11 +32,12 @@
>   --enable-zend-multibyte \
>   --without-sqlite \
>   --without-pdo-sqlite \
> + --without-sqlite3 \
> + --disable-phar \
> + --disable-fileinfo \
>   --with-pear=${LOCALBASE}/share/php5 \
> - --enable-fastcgi \
> - --enable-force-cgi-redirect \
>   --with-config-file-scan-dir=${PHP_CONFIG_PATH}/php5
> -
> +
>  MODULES= devel/gettext
>  
>  # some variables to substitute
> @@ -71,7 +72,7 @@
>   @perl -pi -e "s,!!PREFIX!!,${TRUEPREFIX},g" \
>   ${PREFIX}/share/examples/php5/php5.conf
>  
> -.for i in dist recommended
> +.for i in production development
>   @sed -e 's,MODULES_DIR,${MODULES_DIR},' \
>       -e 's,OPENBSD_INCLUDE_PATH,/pear/lib:${CHROOT_DIR}/pear/lib,' \
>   <${WRKSRC}/php.ini-${i} \
> Index: core/patches/patch-ext_mysqlnd_config9_m4
> ===================================================================
> RCS file: core/patches/patch-ext_mysqlnd_config9_m4
> diff -N -u core/patches/patch-ext_mysqlnd_config9_m4
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ core/patches/patch-ext_mysqlnd_config9_m4 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,10 @@
> +--- ext/mysqlnd/config9.m4.orig Fri Nov 20 23:52:11 2009
> ++++ ext/mysqlnd/config9.m4 Fri Nov 20 23:53:48 2009
> +@@ -9,6 +9,7 @@
> +                             Note: This forces ZTS on!], no, no)
> +
> + dnl If some extension uses mysqlnd it will get compiled in PHP core
> ++PHP_MYSQLND_ENABLED="yes"
> + if test "$PHP_MYSQLND_ENABLED" = "yes"; then
> +   mysqlnd_sources="mysqlnd.c mysqlnd_charset.c mysqlnd_wireprotocol.c \
> +                    mysqlnd_ps.c mysqlnd_loaddata.c mysqlnd_palloc.c \
> Index: core/patches/patch-ext_spl_php_spl_c
> ===================================================================
> RCS file: core/patches/patch-ext_spl_php_spl_c
> diff -N -u core/patches/patch-ext_spl_php_spl_c
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ core/patches/patch-ext_spl_php_spl_c 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,29 @@
> +--- ext/spl/php_spl.c.orig Tue Jun 30 14:41:48 2009
> ++++ ext/spl/php_spl.c Tue Jun 30 14:42:14 2009
> +@@ -708,7 +708,7 @@
> +
> + PHPAPI void php_spl_object_hash(zval *obj, char *result TSRMLS_DC) /* {{{*/
> + {
> +- intptr_t hash_handle, hash_handlers;
> ++ zend_intptr_t hash_handle, hash_handlers;
> + char *hex;
> +
> + if (!SPL_G(hash_mask_init)) {
> +@@ -716,13 +716,13 @@
> + php_mt_srand(GENERATE_SEED() TSRMLS_CC);
> + }
> +
> +- SPL_G(hash_mask_handle)   = (intptr_t)(php_mt_rand(TSRMLS_C) >> 1);
> +- SPL_G(hash_mask_handlers) = (intptr_t)(php_mt_rand(TSRMLS_C) >> 1);
> ++ SPL_G(hash_mask_handle)   = (zend_intptr_t)(php_mt_rand(TSRMLS_C) >> 1);
> ++ SPL_G(hash_mask_handlers) = (zend_intptr_t)(php_mt_rand(TSRMLS_C) >> 1);
> + SPL_G(hash_mask_init) = 1;
> + }
> +
> +- hash_handle   = SPL_G(hash_mask_handle)^(intptr_t)Z_OBJ_HANDLE_P(obj);
> +- hash_handlers = SPL_G(hash_mask_handlers)^(intptr_t)Z_OBJ_HT_P(obj);
> ++ hash_handle   = SPL_G(hash_mask_handle)^(zend_intptr_t)Z_OBJ_HANDLE_P(obj);
> ++ hash_handlers = SPL_G(hash_mask_handlers)^(zend_intptr_t)Z_OBJ_HT_P(obj);
> +
> + spprintf(&hex, 32, "%016x%016x", hash_handle, hash_handlers);
> +
> Index: core/patches/patch-ext_spl_php_spl_h
> ===================================================================
> RCS file: core/patches/patch-ext_spl_php_spl_h
> diff -N -u core/patches/patch-ext_spl_php_spl_h
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ core/patches/patch-ext_spl_php_spl_h 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,13 @@
> +--- ext/spl/php_spl.h.orig Tue Jun 30 14:40:44 2009
> ++++ ext/spl/php_spl.h Tue Jun 30 14:41:24 2009
> +@@ -65,8 +65,8 @@
> + HashTable *  autoload_functions;
> + int          autoload_running;
> + int          autoload_extensions_len;
> +- intptr_t     hash_mask_handle;
> +- intptr_t     hash_mask_handlers;
> ++ zend_intptr_t     hash_mask_handle;
> ++ zend_intptr_t     hash_mask_handlers;
> + int          hash_mask_init;
> + ZEND_END_MODULE_GLOBALS(spl)
> +
> Index: core/patches/patch-sapi_cgi_cgi_main_c
> ===================================================================
> RCS file: core/patches/patch-sapi_cgi_cgi_main_c
> diff -N -u core/patches/patch-sapi_cgi_cgi_main_c
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ core/patches/patch-sapi_cgi_cgi_main_c 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,24 @@
> +--- sapi/cgi/cgi_main.c.orig Wed Jun 17 23:28:52 2009
> ++++ sapi/cgi/cgi_main.c Tue Jun 30 13:43:12 2009
> +@@ -1460,6 +1460,7 @@
> + char *orig_optarg = php_optarg;
> + char *script_file = NULL;
> + int ini_entries_len = 0;
> ++ char *ini;
> + /* end of temporary locals */
> +
> + #ifdef ZTS
> +@@ -1509,8 +1510,12 @@
> + tsrm_ls = ts_resource(0);
> + #endif
> +
> ++ if ((ini = getenv("PHP_INI_PATH"))) {
> ++ cgi_sapi_module.php_ini_path_override = ini;
> ++ } else {
> ++ cgi_sapi_module.php_ini_path_override = NULL;
> ++ }
> + sapi_startup(&cgi_sapi_module);
> +- cgi_sapi_module.php_ini_path_override = NULL;
> +
> + #ifdef PHP_WIN32
> + _fmode = _O_BINARY; /* sets default for file streams to binary */
> Index: core/patches/patch-sapi_cgi_config9_m4
> ===================================================================
> RCS file: /cvs/ports/www/php5/core/patches/patch-sapi_cgi_config9_m4,v
> retrieving revision 1.4
> diff -N -u -r1.4 core/patches/patch-sapi_cgi_config9_m4
> --- core/patches/patch-sapi_cgi_config9_m4 5 Sep 2007 09:11:34 -0000 1.4
> +++ core/patches/patch-sapi_cgi_config9_m4 1 Dec 2009 22:42:30 -0000
> @@ -1,7 +1,6 @@
> -$OpenBSD: patch-sapi_cgi_config9_m4,v 1.4 2007/09/05 09:11:34 robert Exp $
> ---- sapi/cgi/config9.m4.orig Thu Jul 12 01:20:36 2007
> -+++ sapi/cgi/config9.m4 Fri Aug 31 09:33:21 2007
> -@@ -25,7 +25,6 @@ PHP_ARG_ENABLE(path-info-check,,
> +--- sapi/cgi/config9.m4.orig Mon Oct  1 16:40:54 2007
> ++++ sapi/cgi/config9.m4 Thu Jul  2 15:56:41 2009
> +@@ -8,7 +8,6 @@
>   dnl
>   dnl CGI setup
>   dnl
> @@ -9,17 +8,19 @@
>     AC_MSG_CHECKING(whether to build CGI binary)
>     if test "$PHP_CGI" != "no"; then
>       AC_MSG_RESULT(yes)
> -@@ -86,7 +85,8 @@ if test "$PHP_SAPI" = "default"; then
> +@@ -54,8 +53,9 @@
>  
>       dnl Set install target and select SAPI
>       INSTALL_IT="@echo \"Installing PHP CGI binary: \$(INSTALL_ROOT)\$(bindir)/\"; \$(INSTALL) -m 0755 \$(SAPI_CGI_PATH) \$(INSTALL_ROOT)\$(bindir)/\$(program_prefix)php-cgi\$(program_suffix)\$(EXEEXT)"
> --    PHP_SELECT_SAPI(cgi, program, $PHP_FCGI_FILES cgi_main.c getopt.c,, '$(SAPI_CGI_PATH)')
> -+    PHP_ADD_SOURCES(sapi/cgi, $PHP_FCGI_FILES cgi_main.c getopt.c,, cgi)
> +-    PHP_SELECT_SAPI(cgi, program, cgi_main.c fastcgi.c,, '$(SAPI_CGI_PATH)')
> +-
>  +    PHP_ADD_SOURCES(/main, internal_functions.c,,cgi)
> -
> ++    PHP_ADD_SOURCES(/sapi/cgi, $PHP_FCGI_FILES cgi_main.c fastcgi.c,, cgi)
> ++    
>       case $host_alias in
>         *aix*)
> -@@ -96,17 +96,26 @@ if test "$PHP_SAPI" = "default"; then
> +         BUILD_CGI="echo '\#! .' > php.sym && echo >>php.sym && nm -BCpg \`echo \$(PHP_GLOBAL_OBJS) \$(PHP_SAPI_OBJS) | sed 's/\([A-Za-z0-9_]*\)\.lo/\1.o/g'\` | \$(AWK) '{ if (((\$\$2 == \"T\") || (\$\$2 == \"D\") || (\$\$2 == \"B\")) && (substr(\$\$3,1,1) != \".\")) { print \$\$3 } }' | sort -u >> php.sym && \$(LIBTOOL) --mode=link \$(CC) -export-dynamic \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(EXTRA_LDFLAGS_PROGRAM) \$(LDFLAGS) -Wl,-brtl -Wl,-bE:php.sym \$(PHP_RPATHS) \$(PHP_GLOBAL_OBJS) \$(PHP_SAPI_OBJS) \$(EXTRA_LIBS) \$(ZEND_EXTRA_LIBS) -o \$(SAPI_CGI_PATH)"
> +@@ -64,17 +64,26 @@
>           BUILD_CGI="\$(CC) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(EXTRA_LDFLAGS_PROGRAM) \$(LDFLAGS) \$(NATIVE_RPATHS) \$(PHP_GLOBAL_OBJS:.lo=.o) \$(PHP_SAPI_OBJS:.lo=.o) \$(PHP_FRAMEWORKS) \$(EXTRA_LIBS) \$(ZEND_EXTRA_LIBS) -o \$(SAPI_CGI_PATH)"
>         ;;
>         *)
> Index: core/patches/patch-sapi_cgi_main_c
> ===================================================================
> RCS file: /cvs/ports/www/php5/core/patches/patch-sapi_cgi_main_c,v
> retrieving revision 1.1
> diff -N -u -r1.1 core/patches/patch-sapi_cgi_main_c
> --- core/patches/patch-sapi_cgi_main_c 10 Mar 2009 22:07:22 -0000 1.1
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,25 +0,0 @@
> ---- sapi/cgi/cgi_main.c.orig Tue Mar 10 20:48:33 2009
> -+++ sapi/cgi/cgi_main.c Tue Mar 10 21:02:07 2009
> -@@ -1323,7 +1323,7 @@ int main(int argc, char *argv[])
> - char *orig_optarg = php_optarg;
> - char *script_file = NULL;
> - int ini_entries_len = 0;
> --
> -+ char *ini;
> - /* end of temporary locals */
> - #ifdef ZTS
> - void ***tsrm_ls;
> -@@ -1375,8 +1375,12 @@ int main(int argc, char *argv[])
> - tsrm_ls = ts_resource(0);
> - #endif
> -
> -+ if ((ini = getenv("PHP_INI_PATH"))) {
> -+ cgi_sapi_module.php_ini_path_override = ini;
> -+ } else {
> -+ cgi_sapi_module.php_ini_path_override = NULL;
> -+ }
> - sapi_startup(&cgi_sapi_module);
> -- cgi_sapi_module.php_ini_path_override = NULL;
> -
> - #ifdef PHP_WIN32
> - _fmode = _O_BINARY; /* sets default for file streams to binary */
> Index: core/pkg/DESCR-main
> ===================================================================
> RCS file: /cvs/ports/www/php5/core/pkg/DESCR-main,v
> retrieving revision 1.3
> diff -N -u -r1.3 core/pkg/DESCR-main
> --- core/pkg/DESCR-main 1 Apr 2007 21:37:27 -0000 1.3
> +++ core/pkg/DESCR-main 1 Dec 2009 22:42:30 -0000
> @@ -8,11 +8,3 @@
>  
>  This package installs a stand-alone binary which can be used for
>  command-line scripts, as well as an Apache module.
> -
> -By default this port uses the suhosin patch.
> -The suhosin patch adds security hardening features to PHP
> -to protect your servers on the one hand against a number of
> -well known problems in PHP applications and on the other hand
> -against potential unknown vulnerabilities within those
> -applications or the PHP core itself.
> -http://www.hardened-php.net/suhosin/index.html
> Index: core/pkg/PLIST-main
> ===================================================================
> RCS file: /cvs/ports/www/php5/core/pkg/PLIST-main,v
> retrieving revision 1.12
> diff -N -u -r1.12 core/pkg/PLIST-main
> --- core/pkg/PLIST-main 1 Oct 2009 12:22:32 -0000 1.12
> +++ core/pkg/PLIST-main 1 Dec 2009 22:42:30 -0000
> @@ -1,4 +1,4 @@
> -@comment $OpenBSD: PLIST-main,v 1.12 2009/10/01 12:22:32 ajacoutot Exp $
> +@comment $OpenBSD: PLIST-main,v 1.10 2009/04/29 11:36:58 sthen Exp $
>  @conflict php4-core-*
>  @pkgpath www/php5/core
>  @pkgpath www/php5/core,hardened
> @@ -11,8 +11,8 @@
>  @man man/man1/php.1
>  @man man/man1/phpize.1
>  share/examples/php5/
> -share/examples/php5/php.ini-dist
> -share/examples/php5/php.ini-recommended
> +share/examples/php5/php.ini-development
> +share/examples/php5/php.ini-production
>  @sample ${PHP_CONFIG_PATH}/php.ini
>  share/examples/php5/php5.conf
>  @sample ${PHP_CONFIG_PATH}/modules.sample/php5.conf
> @@ -44,12 +44,13 @@
>  share/php5/include/TSRM/tsrm_virtual_cwd.h
>  share/php5/include/TSRM/tsrm_win32.h
>  share/php5/include/Zend/
> -share/php5/include/Zend/FlexLexer.h
>  share/php5/include/Zend/acconfig.h
>  share/php5/include/Zend/zend.h
>  share/php5/include/Zend/zend_API.h
>  share/php5/include/Zend/zend_alloc.h
> +share/php5/include/Zend/zend_build.h
>  share/php5/include/Zend/zend_builtin_functions.h
> +share/php5/include/Zend/zend_closures.h
>  share/php5/include/Zend/zend_compile.h
>  share/php5/include/Zend/zend_config.h
>  share/php5/include/Zend/zend_config.nw.h
> @@ -61,6 +62,8 @@
>  share/php5/include/Zend/zend_execute.h
>  share/php5/include/Zend/zend_extensions.h
>  share/php5/include/Zend/zend_fast_cache.h
> +share/php5/include/Zend/zend_float.h
> +share/php5/include/Zend/zend_gc.h
>  share/php5/include/Zend/zend_globals.h
>  share/php5/include/Zend/zend_globals_macros.h
>  share/php5/include/Zend/zend_hash.h
> @@ -69,11 +72,13 @@
>  share/php5/include/Zend/zend_ini.h
>  share/php5/include/Zend/zend_ini_parser.h
>  share/php5/include/Zend/zend_ini_scanner.h
> +share/php5/include/Zend/zend_ini_scanner_defs.h
>  share/php5/include/Zend/zend_interfaces.h
>  share/php5/include/Zend/zend_istdiostream.h
>  share/php5/include/Zend/zend_iterators.h
>  share/php5/include/Zend/zend_language_parser.h
>  share/php5/include/Zend/zend_language_scanner.h
> +share/php5/include/Zend/zend_language_scanner_defs.h
>  share/php5/include/Zend/zend_list.h
>  share/php5/include/Zend/zend_llist.h
>  share/php5/include/Zend/zend_modules.h
> @@ -105,6 +110,15 @@
>  share/php5/include/ext/date/php_date.h
>  share/php5/include/ext/dom/
>  share/php5/include/ext/dom/xml_common.h
> +share/php5/include/ext/ereg/
> +share/php5/include/ext/ereg/php_ereg.h
> +share/php5/include/ext/ereg/php_regex.h
> +share/php5/include/ext/ereg/regex/
> +share/php5/include/ext/ereg/regex/cclass.h
> +share/php5/include/ext/ereg/regex/cname.h
> +share/php5/include/ext/ereg/regex/regex.h
> +share/php5/include/ext/ereg/regex/regex2.h
> +share/php5/include/ext/ereg/regex/utils.h
>  share/php5/include/ext/filter/
>  share/php5/include/ext/filter/php_filter.h
>  share/php5/include/ext/hash/
> @@ -115,6 +129,7 @@
>  share/php5/include/ext/hash/php_hash_haval.h
>  share/php5/include/ext/hash/php_hash_md.h
>  share/php5/include/ext/hash/php_hash_ripemd.h
> +share/php5/include/ext/hash/php_hash_salsa.h
>  share/php5/include/ext/hash/php_hash_sha.h
>  share/php5/include/ext/hash/php_hash_snefru.h
>  share/php5/include/ext/hash/php_hash_tiger.h
> @@ -130,6 +145,8 @@
>  share/php5/include/ext/iconv/php_iconv_supports_errno.h
>  share/php5/include/ext/iconv/php_php_iconv_h_path.h
>  share/php5/include/ext/iconv/php_php_iconv_impl.h
> +share/php5/include/ext/json/
> +share/php5/include/ext/json/php_json.h
>  share/php5/include/ext/libxml/
>  share/php5/include/ext/libxml/php_libxml.h
>  share/php5/include/ext/pcre/
> @@ -151,12 +168,14 @@
>  share/php5/include/ext/spl/php_spl.h
>  share/php5/include/ext/spl/spl_array.h
>  share/php5/include/ext/spl/spl_directory.h
> +share/php5/include/ext/spl/spl_dllist.h
>  share/php5/include/ext/spl/spl_engine.h
>  share/php5/include/ext/spl/spl_exceptions.h
> +share/php5/include/ext/spl/spl_fixedarray.h
>  share/php5/include/ext/spl/spl_functions.h
> +share/php5/include/ext/spl/spl_heap.h
>  share/php5/include/ext/spl/spl_iterators.h
>  share/php5/include/ext/spl/spl_observer.h
> -share/php5/include/ext/spl/spl_sxe.h
>  share/php5/include/ext/standard/
>  share/php5/include/ext/standard/base64.h
>  share/php5/include/ext/standard/basic_functions.h
> @@ -164,6 +183,7 @@
>  share/php5/include/ext/standard/credits.h
>  share/php5/include/ext/standard/credits_ext.h
>  share/php5/include/ext/standard/credits_sapi.h
> +share/php5/include/ext/standard/crypt_freesec.h
>  share/php5/include/ext/standard/css.h
>  share/php5/include/ext/standard/cyr_convert.h
>  share/php5/include/ext/standard/datetime.h
> @@ -183,8 +203,8 @@
>  share/php5/include/ext/standard/php_assert.h
>  share/php5/include/ext/standard/php_browscap.h
>  share/php5/include/ext/standard/php_crypt.h
> +share/php5/include/ext/standard/php_crypt_r.h
>  share/php5/include/ext/standard/php_dir.h
> -share/php5/include/ext/standard/php_dns.h
>  share/php5/include/ext/standard/php_ext_syslog.h
>  share/php5/include/ext/standard/php_filestat.h
>  share/php5/include/ext/standard/php_fopen_wrappers.h
> @@ -209,13 +229,13 @@
>  share/php5/include/ext/standard/php_versioning.h
>  share/php5/include/ext/standard/proc_open.h
>  share/php5/include/ext/standard/quot_print.h
> -share/php5/include/ext/standard/reg.h
>  share/php5/include/ext/standard/scanf.h
>  share/php5/include/ext/standard/sha1.h
>  share/php5/include/ext/standard/streamsfuncs.h
>  share/php5/include/ext/standard/uniqid.h
>  share/php5/include/ext/standard/url.h
>  share/php5/include/ext/standard/url_scanner_ex.h
> +share/php5/include/ext/standard/winver.h
>  share/php5/include/ext/xml/
>  share/php5/include/ext/xml/expat_compat.h
>  share/php5/include/ext/xml/php_xml.h
> @@ -223,7 +243,6 @@
>  share/php5/include/main/
>  share/php5/include/main/SAPI.h
>  share/php5/include/main/build-defs.h
> -share/php5/include/main/config.w32.h
>  share/php5/include/main/fopen_wrappers.h
>  share/php5/include/main/logos.h
>  share/php5/include/main/php.h
> @@ -231,6 +250,7 @@
>  share/php5/include/main/php_compat.h
>  share/php5/include/main/php_config.h
>  share/php5/include/main/php_content_types.h
> +share/php5/include/main/php_getopt.h
>  share/php5/include/main/php_globals.h
>  share/php5/include/main/php_ini.h
>  share/php5/include/main/php_logos.h
> @@ -240,7 +260,6 @@
>  share/php5/include/main/php_open_temporary_file.h
>  share/php5/include/main/php_output.h
>  share/php5/include/main/php_reentrancy.h
> -share/php5/include/main/php_regex.h
>  share/php5/include/main/php_scandir.h
>  share/php5/include/main/php_streams.h
>  share/php5/include/main/php_syslog.h
> @@ -254,21 +273,16 @@
>  share/php5/include/main/streams/
>  share/php5/include/main/streams/php_stream_context.h
>  share/php5/include/main/streams/php_stream_filter_api.h
> +share/php5/include/main/streams/php_stream_glob_wrapper.h
>  share/php5/include/main/streams/php_stream_mmap.h
>  share/php5/include/main/streams/php_stream_plain_wrapper.h
>  share/php5/include/main/streams/php_stream_transport.h
>  share/php5/include/main/streams/php_stream_userspace.h
>  share/php5/include/main/streams/php_streams_int.h
> -share/php5/include/main/win95nt.h
> -share/php5/include/regex/
> -share/php5/include/regex/cclass.h
> -share/php5/include/regex/cname.h
> -share/php5/include/regex/regex.h
> -share/php5/include/regex/regex2.h
> -share/php5/include/regex/regex_extra.h
> -share/php5/include/regex/utils.h
>  !%%no_suhosin%%
>  @mode 1777
>  @sample /var/www/tmp/
> +share/php5/include/main/win32_internal_function_disabled.h
> +share/php5/include/main/win95nt.h
>  @extraunexec rm -fr ${PHP_CONFIG_PATH}/php5/
>  @unexec-delete rm -fr ${PHP_CONFIG_PATH}/php5.sample/
> Index: extensions/Makefile
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/Makefile,v
> retrieving revision 1.53
> diff -N -u -r1.53 extensions/Makefile
> --- extensions/Makefile 12 Nov 2009 21:47:10 -0000 1.53
> +++ extensions/Makefile 1 Dec 2009 22:42:30 -0000
> @@ -1,6 +1,6 @@
>  # $OpenBSD: Makefile,v 1.53 2009/11/12 21:47:10 jasper Exp $
>  
> -FULLPKGNAME-main= php5-extensions-${V}p0
> +FULLPKGNAME-main= php5-extensions-${V}
>  COMMENT-main= informational package about PHP5 extensions
>  
>  MULTI_PACKAGES= -main
> @@ -64,17 +64,6 @@
>  LIB_DEPENDS-dba= gdbm.>=2::databases/gdbm
>  .endif
>  
> -# dbase
> -PSEUDO_FLAVORS+= no_dbase
> -.if ${FLAVOR:L:Mno_dbase}
> -CONFIGURE_ARGS+= --disable-dbase
> -.else
> -MULTI_PACKAGES+= -dbase
> -COMMENT-dbase= dBase database access extensions for php5
> -CONFIGURE_ARGS+= --enable-dbase=shared
> -LIB_DEPENDS-dbase=
> -.endif
> -
>  # gd
>  PSEUDO_FLAVORS+= no_gd
>  .if ${FLAVOR:L:Mno_gd}
> @@ -162,17 +151,6 @@
>  LIB_DEPENDS-mcrypt= mcrypt::security/libmcrypt ltdl.>=1::devel/libtool,-ltdl
>  .endif
>  
> -# mhash
> -PSEUDO_FLAVORS+= no_mhash
> -.if ${FLAVOR:L:Mno_mhash}
> -CONFIGURE_ARGS+= --without-mhash
> -.else
> -MULTI_PACKAGES+= -mhash
> -COMMENT-mhash= mhash extensions for php5
> -CONFIGURE_ARGS+= --with-mhash=shared,${LOCALBASE}
> -LIB_DEPENDS-mhash= mhash.>=2::security/mhash
> -.endif
> -
>  # mysql
>  PSEUDO_FLAVORS+= no_mysql
>  .if ${FLAVOR:L:Mno_mysql}
> @@ -180,8 +158,7 @@
>  .else
>  MULTI_PACKAGES+= -mysql
>  COMMENT-mysql= mysql database access extensions for php5
> -CONFIGURE_ARGS+= --with-mysql=shared,${LOCALBASE}
> -LIB_DEPENDS-mysql= lib/mysql/mysqlclient.>=10::databases/mysql
> +CONFIGURE_ARGS+= --with-mysql=shared,mysqlnd
>  .endif
>  
>  # mysqli
> @@ -191,27 +168,12 @@
>  .else
>  MULTI_PACKAGES+= -mysqli
>  COMMENT-mysqli= mysql database access extensions for php5
> -CONFIGURE_ARGS+= --with-mysqli=shared,${LOCALBASE}/bin/mysql_config
> -LIB_DEPENDS-mysqli= lib/mysql/mysqlclient.>=10::databases/mysql
> -WANTLIB-mysqli= ${WANTLIB} crypto ssl z
> +CONFIGURE_ARGS+= --with-mysqli=shared,mysqlnd
>  .endif
>  
> -# ncurses
> -PSEUDO_FLAVORS+= no_ncurses
> -.if ${FLAVOR:L:Mno_ncurses}
> -CONFIGURE_ARGS+= --without-ncurses
> -.else
> -MULTI_PACKAGES+= -ncurses
> -COMMENT-ncurses= ncurses extensions for php5
> -CONFIGURE_ARGS+= --with-ncurses=shared,${LOCALBASE}
> -LIB_DEPENDS-ncurses=
> -WANTLIB-ncurses= ${WANTLIB} ncurses panel
> -.endif
> -
>  # odbc
>  PSEUDO_FLAVORS+= no_odbc
>  .if ${FLAVOR:L:Mno_odbc}
> -CONFIGURE_ARGS+= --without-odbc
>  .else
>  MULTI_PACKAGES+= -odbc
>  COMMENT-odbc= odbc database access extensions for php5
> @@ -226,9 +188,7 @@
>  .else
>  MULTI_PACKAGES+= -pdo_mysql
>  COMMENT-pdo_mysql= PDO mysql database access extensions for php5
> -CONFIGURE_ARGS+= --with-pdo-mysql=shared,${LOCALBASE}
> -LIB_DEPENDS-pdo_mysql= lib/mysql/mysqlclient.>=10::databases/mysql
> -WANTLIB-pdo_mysql= ${WANTLIB} crypto ssl z
> +CONFIGURE_ARGS+= --with-pdo-mysql=shared,mysqlnd
>  .endif
>  
>  # pdo-pgsql
> @@ -264,17 +224,6 @@
>  LIB_DEPENDS-pgsql= pq.>=2:postgresql-client-*:databases/postgresql
>  .endif
>  
> -# pspell
> -PSEUDO_FLAVORS+= no_pspell
> -.if ${FLAVOR:L:Mno_pspell}
> -CONFIGURE_ARGS+= --without-pspell
> -.else
> -MULTI_PACKAGES+= -pspell
> -COMMENT-pspell= pspell library extensions for php5
> -CONFIGURE_ARGS+= --with-pspell=shared,${LOCALBASE}
> -LIB_DEPENDS-pspell= aspell.>=16.0,pspell.>=16.0::textproc/aspell/core
> -.endif
> -
>  # shmop
>  PSEUDO_FLAVORS+= no_shmop
>  .if ${FLAVOR:L:Mno_shmop}
> @@ -289,7 +238,7 @@
>  # soap
>  PSEUDO_FLAVORS+= no_soap
>  .if ${FLAVOR:L:Mno_soap}
> -CONFIGURE_ARGS+= --without-soap
> +CONFIGURE_ARGS+= --disable-soap
>  .else
>  MULTI_PACKAGES+= -soap
>  COMMENT-soap= SOAP functions for php5
> @@ -364,6 +313,48 @@
>  CONFIGURE_ARGS+= --with-xsl=shared --enable-dom
>  LIB_DEPENDS-xsl= xslt.>=3,exslt::textproc/libxslt
>  WANTLIB-xsl= ${WANTLIB} iconv xml2 z
> +.endif
> +
> +# sqlite3
> +PSEUDO_FLAVORS+= no_sqlite3
> +.if ${FLAVOR:L:Mno_sqlite3}
> +CONFIGURE_ARGS+= --without-sqlite3
> +.else
> +MULTI_PACKAGES+= -sqlite3
> +COMMENT-sqlite3= sqlite3 database access extensions for php5
> +CONFIGURE_ARGS+= --with-sqlite3=shared,${LOCALBASE}
> +LIB_DEPENDS-sqlite3= sqlite.>=6::databases/sqlite3
> +.endif
> +
> +# enchant
> +PSEUDO_FLAVORS+=        no_enchant
> +.if ${FLAVOR:L:Mno_enchant}
> +CONFIGURE_ARGS+=        --without-enchant
> +.else
> +MULTI_PACKAGES+=        -enchant
> +COMMENT-enchant=        enchant library extensions for php5
> +CONFIGURE_ARGS+=        --with-enchant=shared,${LOCALBASE}
> +LIB_DEPENDS-enchant=    enchant.>=1.2.4::textproc/enchant
> +.endif
> +
> +# phar
> +PSEUDO_FLAVORS+=        no_phar
> +.if ${FLAVOR:L:Mno_phar}
> +CONFIGURE_ARGS+=        --disable-phar
> +.else
> +MULTI_PACKAGES+=        -phar
> +COMMENT-phar=           phar extensions for php5
> +CONFIGURE_ARGS+=        --enable-phar=shared
> +.endif
> +
> +# fileinfo
> +PSEUDO_FLAVORS+=        no_fileinfo
> +.if ${FLAVOR:L:Mno_fileinfo}
> +CONFIGURE_ARGS+=        --disable-fileinfo
> +.else
> +MULTI_PACKAGES+=        -fileinfo
> +COMMENT-fileinfo=       fileinfo extensions for php5
> +CONFIGURE_ARGS+=        --enable-fileinfo=shared
>  .endif
>  
>  .for i in ${MULTI_PACKAGES}
> Index: extensions/patches/patch-ext_gd_gdcache_h
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/patches/patch-ext_gd_gdcache_h,v
> retrieving revision 1.1
> diff -N -u -r1.1 extensions/patches/patch-ext_gd_gdcache_h
> --- extensions/patches/patch-ext_gd_gdcache_h 2 Oct 2004 11:32:35 -0000 1.1
> +++ extensions/patches/patch-ext_gd_gdcache_h 1 Dec 2009 22:42:30 -0000
> @@ -1,4 +1,4 @@
> -$OpenBSD: patch-ext_gd_gdcache_h,v 1.1 2004/10/02 11:32:35 robert Exp $
> +$OpenBSD: patch-ext_gd_gdcache_h,v 1.1.1.1 2004/10/02 11:32:35 robert Exp $
>  --- ext/gd/gdcache.h.orig Sun Dec 28 22:08:46 2003
>  +++ ext/gd/gdcache.h Tue Jul 27 01:42:24 2004
>  @@ -41,6 +41,7 @@
> Index: extensions/patches/patch-ext_gd_gdttf_c
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/patches/patch-ext_gd_gdttf_c,v
> retrieving revision 1.2
> diff -N -u -r1.2 extensions/patches/patch-ext_gd_gdttf_c
> --- extensions/patches/patch-ext_gd_gdttf_c 2 Jul 2007 08:53:17 -0000 1.2
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,12 +0,0 @@
> -$OpenBSD: patch-ext_gd_gdttf_c,v 1.2 2007/07/02 08:53:17 robert Exp $
> ---- ext/gd/gdttf.c.orig Sun Jan  9 22:05:05 2005
> -+++ ext/gd/gdttf.c Mon Jul  2 10:38:20 2007
> -@@ -712,7 +712,7 @@ gdttfchar(gdImage *im, int fg, font_t *font,
> - }
> - #if HAVE_LIBGD20
> - if (im->trueColor) {
> -- pixel = &im->tpixels[y3][x3];
> -+ pixel = (unsigned char *)&im->tpixels[y3][x3];
> - } else
> - #endif
> - {
> Index: extensions/patches/patch-ext_gd_libgd_gdcache_h
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/patches/patch-ext_gd_libgd_gdcache_h,v
> retrieving revision 1.1
> diff -N -u -r1.1 extensions/patches/patch-ext_gd_libgd_gdcache_h
> --- extensions/patches/patch-ext_gd_libgd_gdcache_h 2 Oct 2004 11:32:35 -0000 1.1
> +++ extensions/patches/patch-ext_gd_libgd_gdcache_h 1 Dec 2009 22:42:30 -0000
> @@ -1,4 +1,4 @@
> -$OpenBSD: patch-ext_gd_libgd_gdcache_h,v 1.1 2004/10/02 11:32:35 robert Exp $
> +$OpenBSD: patch-ext_gd_libgd_gdcache_h,v 1.1.1.1 2004/10/02 11:32:35 robert Exp $
>  --- ext/gd/libgd/gdcache.h.orig Sun Dec 28 21:11:08 2003
>  +++ ext/gd/libgd/gdcache.h Tue Jul 27 02:21:28 2004
>  @@ -41,7 +41,7 @@
> Index: extensions/pkg/DESCR-dbase
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/DESCR-dbase,v
> retrieving revision 1.1
> diff -N -u -r1.1 extensions/pkg/DESCR-dbase
> --- extensions/pkg/DESCR-dbase 2 Oct 2004 11:32:35 -0000 1.1
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,18 +0,0 @@
> -These functions allow you to access records stored in dBase-format
> -(dbf) databases.
> -
> -There is no support for indexes or memo fields. There is no support
> -for locking, too. Two concurrent webserver processes modifying the
> -same dBase file will very likely ruin your database.
> -
> -dBase files are simple sequential files of fixed length records.
> -Records are appended to the end of the file and delete records are
> -kept until you call dbase_pack().
> -
> -We recommend that you do not use dBase files as your production
> -database. Choose any real SQL server instead; MySQL or Postgres are
> -common choices with PHP. dBase support is here to allow you to
> -import and export data to and from your web database, because the
> -file format is commonly understood by Windows spreadsheets and
> -organizers.
> -
> Index: extensions/pkg/DESCR-enchant
> ===================================================================
> RCS file: extensions/pkg/DESCR-enchant
> diff -N -u extensions/pkg/DESCR-enchant
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/DESCR-enchant 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,4 @@
> +Enchant steps in to provide uniformity and conformity on top of all spelling
> +libraries, and implement certain features that may be lacking in any individual
> +provider library. Everything should "just work" for any and every definition
> +of "just working."
> Index: extensions/pkg/DESCR-fileinfo
> ===================================================================
> RCS file: extensions/pkg/DESCR-fileinfo
> diff -N -u extensions/pkg/DESCR-fileinfo
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/DESCR-fileinfo 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,4 @@
> +The functions in this module try to guess the content type and encoding of
> +a file by looking for certain magic byte sequences at specific positions
> +within the file. While this is not a bullet proof approach the heuristics
> +used do a very good job.
> Index: extensions/pkg/DESCR-mhash
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/DESCR-mhash,v
> retrieving revision 1.1
> diff -N -u -r1.1 extensions/pkg/DESCR-mhash
> --- extensions/pkg/DESCR-mhash 2 Oct 2004 11:32:37 -0000 1.1
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,5 +0,0 @@
> -This is an interface to the mhash library. mhash supports a wide
> -variety of hash algorithms such as MD5, SHA1, GOST, and many others.
> -
> -Mhash can be used to create checksums, message digests, message
> -authentication codes, and more.
> Index: extensions/pkg/DESCR-ncurses
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/DESCR-ncurses,v
> retrieving revision 1.1
> diff -N -u -r1.1 extensions/pkg/DESCR-ncurses
> --- extensions/pkg/DESCR-ncurses 2 Oct 2004 11:32:37 -0000 1.1
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,5 +0,0 @@
> -ncurses (new curses) is a free software emulation of curses in
> -System V Rel 4.0 (and above). It uses terminfo format, supports
> -pads, colors, multiple highlights, form characters and function key
> -mapping.
> -
> Index: extensions/pkg/DESCR-phar
> ===================================================================
> RCS file: extensions/pkg/DESCR-phar
> diff -N -u extensions/pkg/DESCR-phar
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/DESCR-phar 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,2 @@
> +The phar extension provides a way to put entire PHP applications into a single
> +file called a "phar" (PHP Archive) for easy distribution and installation.
> Index: extensions/pkg/DESCR-pspell
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/DESCR-pspell,v
> retrieving revision 1.1
> diff -N -u -r1.1 extensions/pkg/DESCR-pspell
> --- extensions/pkg/DESCR-pspell 30 Mar 2008 11:59:56 -0000 1.1
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,2 +0,0 @@
> -These functions allow you to check the spelling of a word and offer suggestions.
> -More information about Pspell can be found at http://www.php.net/pspell.
> Index: extensions/pkg/DESCR-sqlite3
> ===================================================================
> RCS file: extensions/pkg/DESCR-sqlite3
> diff -N -u extensions/pkg/DESCR-sqlite3
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/DESCR-sqlite3 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,5 @@
> +These functions allow you to access SQLite 3.x databases.
> +More information about SQLite can be found at http://www.sqlite.org/.
> +
> +Documentation for SQLite can be found at
> +http://www.sqlite.org/docs.html.
> Index: extensions/pkg/PLIST-dbase
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/PLIST-dbase,v
> retrieving revision 1.4
> diff -N -u -r1.4 extensions/pkg/PLIST-dbase
> --- extensions/pkg/PLIST-dbase 5 Nov 2007 10:11:10 -0000 1.4
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,5 +0,0 @@
> -@comment $OpenBSD: PLIST-dbase,v 1.4 2007/11/05 10:11:10 robert Exp $
> -@conflict php4-dbase-*
> -@pkgpath www/php5/extensions,-dbase,hardened
> -conf/php5.sample/dbase.ini
> -lib/php/modules/dbase.so
> Index: extensions/pkg/PLIST-enchant
> ===================================================================
> RCS file: extensions/pkg/PLIST-enchant
> diff -N -u extensions/pkg/PLIST-enchant
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/PLIST-enchant 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,3 @@
> +@comment $OpenBSD: PLIST-enchant Exp $
> +conf/php5.sample/enchant.ini
> +lib/php/modules/enchant.so
> Index: extensions/pkg/PLIST-fileinfo
> ===================================================================
> RCS file: extensions/pkg/PLIST-fileinfo
> diff -N -u extensions/pkg/PLIST-fileinfo
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/PLIST-fileinfo 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,3 @@
> +@comment $OpenBSD: PLIST-fileinfo Exp $
> +conf/php5.sample/fileinfo.ini
> +lib/php/modules/fileinfo.so
> Index: extensions/pkg/PLIST-mhash
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/PLIST-mhash,v
> retrieving revision 1.4
> diff -N -u -r1.4 extensions/pkg/PLIST-mhash
> --- extensions/pkg/PLIST-mhash 5 Nov 2007 10:11:10 -0000 1.4
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,5 +0,0 @@
> -@comment $OpenBSD: PLIST-mhash,v 1.4 2007/11/05 10:11:10 robert Exp $
> -@conflict php4-mhash-*
> -@pkgpath www/php5/extensions,-mhash,hardened
> -conf/php5.sample/mhash.ini
> -lib/php/modules/mhash.so
> Index: extensions/pkg/PLIST-ncurses
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/PLIST-ncurses,v
> retrieving revision 1.4
> diff -N -u -r1.4 extensions/pkg/PLIST-ncurses
> --- extensions/pkg/PLIST-ncurses 5 Nov 2007 10:11:10 -0000 1.4
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,5 +0,0 @@
> -@comment $OpenBSD: PLIST-ncurses,v 1.4 2007/11/05 10:11:10 robert Exp $
> -@conflict php4-ncurses-*
> -@pkgpath www/php5/extensions,-ncurses,hardened
> -conf/php5.sample/ncurses.ini
> -lib/php/modules/ncurses.so
> Index: extensions/pkg/PLIST-phar
> ===================================================================
> RCS file: extensions/pkg/PLIST-phar
> diff -N -u extensions/pkg/PLIST-phar
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/PLIST-phar 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,3 @@
> +@comment $OpenBSD: PLIST-phar Exp $
> +conf/php5.sample/phar.ini
> +lib/php/modules/phar.so
> Index: extensions/pkg/PLIST-pspell
> ===================================================================
> RCS file: /cvs/ports/www/php5/extensions/pkg/PLIST-pspell,v
> retrieving revision 1.1
> diff -N -u -r1.1 extensions/pkg/PLIST-pspell
> --- extensions/pkg/PLIST-pspell 30 Mar 2008 11:59:56 -0000 1.1
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,3 +0,0 @@
> -@comment $OpenBSD: PLIST-pspell,v 1.1 2008/03/30 11:59:56 robert Exp $
> -conf/php5.sample/pspell.ini
> -lib/php/modules/pspell.so
> Index: extensions/pkg/PLIST-sqlite3
> ===================================================================
> RCS file: extensions/pkg/PLIST-sqlite3
> diff -N -u extensions/pkg/PLIST-sqlite3
> --- /dev/null 1 Dec 2009 15:42:31 -0000
> +++ extensions/pkg/PLIST-sqlite3 1 Dec 2009 22:42:30 -0000
> @@ -0,0 +1,3 @@
> +@comment $OpenBSD: PLIST-sqlite3 Exp $
> +conf/php5.sample/sqlite3.ini
> +lib/php/modules/sqlite3.so
> Index: patches/patch-configure_in
> ===================================================================
> RCS file: /cvs/ports/www/php5/patches/patch-configure_in,v
> retrieving revision 1.12
> diff -N -u -r1.12 patches/patch-configure_in
> --- patches/patch-configure_in 9 Dec 2008 21:52:31 -0000 1.12
> +++ patches/patch-configure_in 1 Dec 2009 22:42:31 -0000
> @@ -1,18 +1,7 @@
> ---- configure.in.orig Tue Dec  9 22:04:42 2008
> -+++ configure.in Tue Dec  9 22:07:03 2008
> -@@ -354,8 +354,8 @@
> +--- configure.in.orig Fri Jun 19 01:01:03 2009
> ++++ configure.in Tue Jun 30 13:00:08 2009
> +@@ -983,7 +983,7 @@
>  
> - dnl Check for resolver routines.
> - dnl Need to check for both res_search and __res_search
> --dnl in -lc, -lbind, -lresolv and -lsocket
> --PHP_CHECK_FUNC(res_search, resolv, bind, socket)
> -+dnl in -lc, -lresolv and -lsocket
> -+PHP_CHECK_FUNC(res_search, resolv, socket)
> -
> - dnl Check for inet_aton and dn_skipname
> - dnl in -lc, -lbind and -lresolv
> -@@ -931,7 +931,7 @@
> -
>   case $php_build_target in
>     program|static)
>  -    standard_libtool_flag='-prefer-non-pic -static'
> @@ -20,7 +9,7 @@
>       if test -z "$PHP_MODULES" && test -z "$PHP_ZEND_EX"; then
>           enable_shared=no
>       fi
> -@@ -940,10 +940,10 @@
> +@@ -992,10 +992,10 @@
>       enable_static=no
>       case $with_pic in
>         yes)
> @@ -33,7 +22,7 @@
>           ;;
>       esac
>       EXTRA_LDFLAGS="$EXTRA_LDFLAGS -avoid-version -module"
> -@@ -1136,7 +1136,7 @@
> +@@ -1184,7 +1184,7 @@
>   EXPANDED_DATADIR=$datadir
>   EXPANDED_PHP_CONFIG_FILE_PATH=`eval echo "$PHP_CONFIG_FILE_PATH"`
>   EXPANDED_PHP_CONFIG_FILE_SCAN_DIR=`eval echo "$PHP_CONFIG_FILE_SCAN_DIR"`
> @@ -42,17 +31,16 @@
>  
>   exec_prefix=$old_exec_prefix
>   libdir=$old_libdir
> -@@ -1344,7 +1344,8 @@
> - INLINE_CFLAGS="$INLINE_CFLAGS $standard_libtool_flag"
> - CXXFLAGS="$CXXFLAGS $standard_libtool_flag"
> +@@ -1392,7 +1392,7 @@
> +   pharcmd_install=
> + fi;
>  
> --all_targets="$lcov_target \$(OVERALL_TARGET) \$(PHP_MODULES) \$(PHP_ZEND_EX) \$(PHP_CLI_TARGET)"
> -+all_targets="$lcov_target \$(OVERALL_TARGET) \$(PHP_MODULES) \$(PHP_CLI_TARGET) \$(PHP_CGI_TARGET)"
> -+
> - install_targets="$install_modules install-build install-headers install-programs $install_pear"
> +-all_targets="$lcov_target \$(OVERALL_TARGET) \$(PHP_MODULES) \$(PHP_ZEND_EX) \$(PHP_CLI_TARGET) $pharcmd"
> ++all_targets="$lcov_target \$(OVERALL_TARGET) \$(PHP_MODULES) \$(PHP_CLI_TARGET) \$(PHP_CGI_TARGET) $pharcmd"
> + install_targets="$install_modules install-build install-headers install-programs $install_pear $pharcmd_install"
>  
>   case $PHP_SAPI in
> -@@ -1388,7 +1389,7 @@
> +@@ -1437,7 +1437,7 @@
>   PHP_ADD_SOURCES(Zend, \
>       zend_language_parser.c zend_language_scanner.c \
>       zend_ini_parser.c zend_ini_scanner.c \
> @@ -61,11 +49,11 @@
>       zend_execute_API.c zend_highlight.c zend_llist.c \
>       zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
>       zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
> -@@ -1409,6 +1410,7 @@
> +@@ -1459,6 +1459,7 @@
>   fi
>  
>   PHP_ADD_SOURCES_X(Zend, zend_execute.c,,PHP_GLOBAL_OBJS,,$flag)
>  +PHP_ADD_SOURCES_X(Zend, zend_alloc.c,,PHP_GLOBAL_OBJS,,"-O0")
>  
>   PHP_ADD_BUILD_DIR(main main/streams)
> - PHP_ADD_BUILD_DIR(regex)
> + PHP_ADD_BUILD_DIR(sapi/$PHP_SAPI sapi/cli)
> Index: patches/patch-ext_standard_config_m4
> ===================================================================
> RCS file: /cvs/ports/www/php5/patches/patch-ext_standard_config_m4,v
> retrieving revision 1.1
> diff -N -u -r1.1 patches/patch-ext_standard_config_m4
> --- patches/patch-ext_standard_config_m4 5 Apr 2008 05:45:19 -0000 1.1
> +++ patches/patch-ext_standard_config_m4 1 Dec 2009 22:42:31 -0000
> @@ -1,16 +1,24 @@
> -$OpenBSD: patch-ext_standard_config_m4,v 1.1 2008/04/05 05:45:19 sturm Exp $
> ---- ext/standard/config.m4.orig Fri Apr  4 22:34:19 2008
> -+++ ext/standard/config.m4 Fri Apr  4 22:34:33 2008
> -@@ -311,9 +311,9 @@ dnl
> +--- ext/standard/config.m4.orig Wed Aug 12 02:07:35 2009
> ++++ ext/standard/config.m4 Tue Dec  1 15:37:41 2009
> +@@ -249,16 +249,16 @@
>   dnl Detect library functions needed by php dns_xxx functions
> - dnl ext/standard/dns.h will collect these in a single define: HAVE_DNS_FUNCS
> + dnl ext/standard/php_dns.h will collect these in a single define: HAVE_FULL_DNS_FUNCS
>   dnl
> --PHP_CHECK_FUNC(res_nmkquery, resolv, bind, socket)
> --PHP_CHECK_FUNC(res_nsend, resolv, bind, socket)
> +-PHP_CHECK_FUNC(res_nsearch, resolv, bind, socket)
> +-PHP_CHECK_FUNC(dns_search, resolv, bind, socket)
>  -PHP_CHECK_FUNC(dn_expand, resolv, bind, socket)
> -+PHP_CHECK_FUNC(res_nmkquery, resolv, socket)
> -+PHP_CHECK_FUNC(res_nsend, resolv, socket)
> +-PHP_CHECK_FUNC(dn_skipname, resolv, bind, socket)
> ++PHP_CHECK_FUNC(res_nsearch, resolv, socket)
> ++PHP_CHECK_FUNC(dns_search, resolv, socket)
>  +PHP_CHECK_FUNC(dn_expand, resolv, socket)
> ++PHP_CHECK_FUNC(dn_skipname, resolv, socket)
> +
> + dnl
> + dnl These are old deprecated functions
> + dnl
> +
> +-PHP_CHECK_FUNC(res_search, resolv, bind, socket)
> ++PHP_CHECK_FUNC(res_search, resolv, socket)
>  
>   dnl
>   dnl Check if atof() accepts NAN
> Index: patches/patch-ext_standard_dns_h
> ===================================================================
> RCS file: patches/patch-ext_standard_dns_h
> diff -N -u patches/patch-ext_standard_dns_h
> --- /dev/null 1 Dec 2009 15:42:32 -0000
> +++ patches/patch-ext_standard_dns_h 1 Dec 2009 22:42:31 -0000
> @@ -0,0 +1,18 @@
> +--- ext/standard/dns.c.orig Tue Dec  1 22:56:24 2009
> ++++ ext/standard/dns.c Tue Dec  1 22:59:15 2009
> +@@ -810,14 +810,8 @@
> + n = php_dns_search(handle, hostname, C_IN, type_to_fetch, answer.qb2, sizeof answer);
> +
> + if (n < 0) {
> +- if (php_dns_errno(handle) == NO_DATA) {
> +- php_dns_free_handle(handle);
> +- continue;
> +- }
> +-
> + php_dns_free_handle(handle);
> +- zval_dtor(return_value);
> +- RETURN_FALSE;
> ++ continue;
> + }
> +
> + cp = answer.qb2 + HFIXEDSZ;
> Index: patches/patch-ext_standard_php_dns_h
> ===================================================================
> RCS file: patches/patch-ext_standard_php_dns_h
> diff -N -u patches/patch-ext_standard_php_dns_h
> --- /dev/null 1 Dec 2009 15:42:32 -0000
> +++ patches/patch-ext_standard_php_dns_h 1 Dec 2009 22:42:31 -0000
> @@ -0,0 +1,27 @@
> +--- ext/standard/php_dns.h.orig Tue Dec  1 23:57:37 2009
> ++++ ext/standard/php_dns.h Tue Dec  1 23:57:47 2009
> +@@ -28,8 +28,6 @@
> +     ((int)dns_search(res, dname, class, type, answer, anslen, (struct sockaddr *)&from, &fromsize))
> + #define php_dns_free_handle(res) \
> + dns_free(res)
> +-#define php_dns_errno(_res) \
> +- (NO_DATA)
> +
> + #elif defined(HAVE_RES_NSEARCH)
> + #define php_dns_search(res, dname, class, type, answer, anslen) \
> +@@ -37,15 +35,11 @@
> + #define php_dns_free_handle(res) \
> + res_nclose(res); \
> + php_dns_free_res(*res)
> +-#define php_dns_errno(res) \
> +- (res->res_h_errno)
> +
> + #elif defined(HAVE_RES_SEARCH)
> + #define php_dns_search(res, dname, class, type, answer, anslen) \
> + res_search(dname, class, type, answer, anslen)
> + #define php_dns_free_handle(res) /* noop */
> +-#define php_dns_errno(res) \
> +- (_res.res_h_errno)
> +
> + #endif
> +
> Index: patches/patch-php_ini-development
> ===================================================================
> RCS file: patches/patch-php_ini-development
> diff -N -u patches/patch-php_ini-development
> --- /dev/null 1 Dec 2009 15:42:32 -0000
> +++ patches/patch-php_ini-development 1 Dec 2009 22:42:31 -0000
> @@ -0,0 +1,576 @@
> +--- php.ini-development.orig Thu Nov 12 20:20:01 2009
> ++++ php.ini-development Tue Dec  1 15:47:26 2009
> +@@ -781,11 +781,8 @@
> + ;;;;;;;;;;;;;;;;;;;;;;;;;
> +
> + ; UNIX: "/path1:/path2"
> +-;include_path = ".:/php/includes"
> ++include_path = ".:OPENBSD_INCLUDE_PATH"
> + ;
> +-; Windows: "\path1;\path2"
> +-;include_path = ".;c:\php\includes"
> +-;
> + ; PHP's default setting for include_path is ".;/path/to/php/pear"
> + ; http://php.net/include-path
> +
> +@@ -804,9 +801,7 @@
> +
> + ; Directory in which the loadable extensions (modules) reside.
> + ; http://php.net/extension-dir
> +-; extension_dir = "./"
> +-; On windows:
> +-; extension_dir = "ext"
> ++extension_dir = "MODULES_DIR"
> +
> + ; Whether or not to enable the dl() function.  The dl() function does NOT work
> + ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
> +@@ -887,7 +882,7 @@
> +
> + ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
> + ; http://php.net/allow-url-fopen
> +-allow_url_fopen = On
> ++allow_url_fopen = Off
> +
> + ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
> + ; http://php.net/allow-url-include
> +@@ -914,78 +909,6 @@
> + ; http://php.net/auto-detect-line-endings
> + ;auto_detect_line_endings = Off
> +
> +-;;;;;;;;;;;;;;;;;;;;;;
> +-; Dynamic Extensions ;
> +-;;;;;;;;;;;;;;;;;;;;;;
> +-
> +-; If you wish to have an extension loaded automatically, use the following
> +-; syntax:
> +-;
> +-;   extension=modulename.extension
> +-;
> +-; For example, on Windows:
> +-;
> +-;   extension=msql.dll
> +-;
> +-; ... or under UNIX:
> +-;
> +-;   extension=msql.so
> +-;
> +-; ... or with a path:
> +-;
> +-;   extension=/path/to/extension/msql.so
> +-;
> +-; If you only provide the name of the extension, PHP will look for it in its
> +-; default extension directory.
> +-;
> +-; Windows Extensions
> +-; Note that ODBC support is built in, so no dll is needed for it.
> +-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
> +-; extension folders as well as the separate PECL DLL download (PHP 5).
> +-; Be sure to appropriately set the extension_dir directive.
> +-;
> +-;extension=php_bz2.dll
> +-;extension=php_curl.dll
> +-;extension=php_dba.dll
> +-;extension=php_exif.dll
> +-;extension=php_fileinfo.dll
> +-;extension=php_gd2.dll
> +-;extension=php_gettext.dll
> +-;extension=php_gmp.dll
> +-;extension=php_intl.dll
> +-;extension=php_imap.dll
> +-;extension=php_interbase.dll
> +-;extension=php_ldap.dll
> +-;extension=php_mbstring.dll
> +-;extension=php_ming.dll
> +-;extension=php_mssql.dll
> +-;extension=php_mysql.dll
> +-;extension=php_mysqli.dll
> +-;extension=php_oci8.dll      ; Use with Oracle 10gR2 Instant Client
> +-;extension=php_oci8_11g.dll  ; Use with Oracle 11g Instant Client
> +-;extension=php_openssl.dll
> +-;extension=php_pdo_firebird.dll
> +-;extension=php_pdo_mssql.dll
> +-;extension=php_pdo_mysql.dll
> +-;extension=php_pdo_oci.dll
> +-;extension=php_pdo_odbc.dll
> +-;extension=php_pdo_pgsql.dll
> +-;extension=php_pdo_sqlite.dll
> +-;extension=php_pgsql.dll
> +-;extension=php_phar.dll
> +-;extension=php_pspell.dll
> +-;extension=php_shmop.dll
> +-;extension=php_snmp.dll
> +-;extension=php_soap.dll
> +-;extension=php_sockets.dll
> +-;extension=php_sqlite.dll
> +-;extension=php_sqlite3.dll
> +-;extension=php_sybase_ct.dll
> +-;extension=php_tidy.dll
> +-;extension=php_xmlrpc.dll
> +-;extension=php_xsl.dll
> +-;extension=php_zip.dll
> +-
> + ;;;;;;;;;;;;;;;;;;;
> + ; Module Settings ;
> + ;;;;;;;;;;;;;;;;;;;
> +@@ -1079,16 +1002,6 @@
> + define_syslog_variables  = Off
> +
> + [mail function]
> +-; For Win32 only.
> +-; http://php.net/smtp
> +-SMTP = localhost
> +-; http://php.net/smtp-port
> +-smtp_port = 25
> +-
> +-; For Win32 only.
> +-; http://php.net/sendmail-from
> +-;sendmail_from = [hidden email]
> +-
> + ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
> + ; http://php.net/sendmail-path
> + ;sendmail_path =
> +@@ -1887,6 +1800,441 @@
> + [dba]
> + ;dba.default_handler=
> +
> +-; Local Variables:
> +-; tab-width: 4
> +-; End:
> ++[suhosin]
> ++
> ++; -----------------------------------------------------------------------------
> ++; Logging Options
> ++
> ++; Defines what classes of security alerts are logged to the syslog daemon.
> ++; Logging of errors of the class S_MEMORY are always logged to syslog, no
> ++; matter what this configuration says, because a corrupted heap could mean that
> ++; the other logging options will malfunction during the logging process.
> ++;suhosin.log.syslog =
> ++
> ++; Defines the syslog facility that is used when ALERTs are logged to syslog.
> ++;suhosin.log.syslog.facility =
> ++
> ++; Defines the syslog priority that is used when ALERTs are logged to syslog.
> ++;suhosin.log.syslog.priority =
> ++
> ++; Defines what classes of security alerts are logged through the SAPI error log.
> ++;suhosin.log.sapi =
> ++
> ++; Defines what classes of security alerts are logged through the external
> ++; logging.
> ++;suhosin.log.script =
> ++
> ++; Defines what classes of security alerts are logged through the defined PHP
> ++; script.
> ++;suhosin.log.phpscript = 0
> ++
> ++; Defines the full path to a external logging script. The script is called with
> ++; 2 parameters. The first one is the alert class in string notation and the
> ++; second parameter is the log message. This can be used for example to mail
> ++; failing MySQL queries to your email address, because on a production system
> ++; these things should never happen.
> ++;suhosin.log.script.name =
> ++
> ++; Defines the full path to a PHP logging script. The script is called with 2
> ++; variables registered in the current scope: SUHOSIN_ERRORCLASS and
> ++; SUHOSIN_ERROR. The first one is the alert class and the second variable is
> ++; the log message. This can be used for example to mail attempted remote URL
> ++; include attacks to your email address.
> ++;suhosin.log.phpscript.name =
> ++
> ++; Undocumented
> ++;suhosin.log.phpscript.is_safe = Off
> ++
> ++; When the Hardening-Patch logs an error the log message also contains the IP
> ++; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
> ++; environment variable. With this switch it is possible to change this behavior
> ++; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
> ++; when your PHP server runs behind a reverse proxy.
> ++;suhosin.log.use-x-forwarded-for = Off
> ++
> ++; -----------------------------------------------------------------------------
> ++; Executor Options
> ++
> ++; Defines the maximum stack depth allowed by the executor before it stops the
> ++; script. Without this function an endless recursion in a PHP script could
> ++; crash the PHP executor or trigger the configured memory_limit. A value of
> ++; "0" disables this feature.
> ++;suhosin.executor.max_depth = 0
> ++
> ++; Defines how many "../" an include filename needs to contain to be considered
> ++; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
> ++; value of "3" will allow it. Most PHP applications should work flawlessly with
> ++; values "4" or "5". A value of "0" disables this feature.
> ++;suhosin.executor.include.max_traversal = 0
> ++
> ++; Comma separated whitelist of URL schemes that are allowed to be included from
> ++; include or require statements. Additionally to URL schemes it is possible to
> ++; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
> ++; specified, then the blacklist is evaluated.
> ++;suhosin.executor.include.whitelist =
> ++
> ++; Comma separated blacklist of URL schemes that are not allowed to be included
> ++; from include or require statements. Additionally to URL schemes it is
> ++; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
> ++; blacklist and no whitelist is specified all URL schemes are forbidden.
> ++;suhosin.executor.include.blacklist =
> ++
> ++; Defines if PHP is allows to run code from files that are writable by the
> ++; current process. If a file is created or modified by a PHP process, there
> ++; is a potential danger of code injection. Only turn this on if you are sure
> ++; that your application does not require writable PHP files.
> ++;suhosin.executor.include.allow_writable_files = On
> ++
> ++; Comma separated whitelist of functions that are allowed to be called. If the
> ++; whitelist is empty the blacklist is evaluated, otherwise calling a function
> ++; not in the whitelist will terminate the script and get logged.
> ++;suhosin.executor.func.whitelist =
> ++
> ++; Comma separated blacklist of functions that are not allowed to be called. If
> ++; no whitelist is given, calling a function within the blacklist will terminate
> ++; the script and get logged.
> ++;suhosin.executor.func.blacklist =
> ++
> ++; Comma separated whitelist of functions that are allowed to be called from
> ++; within eval(). If the whitelist is empty the blacklist is evaluated,
> ++; otherwise calling a function not in the whitelist will terminate the script
> ++; and get logged.
> ++;suhosin.executor.eval.whitelist =
> ++
> ++; Comma separated blacklist of functions that are not allowed to be called from
> ++; within eval(). If no whitelist is given, calling a function within the
> ++; blacklist will terminate the script and get logged.
> ++;suhosin.executor.eval.blacklist =
> ++
> ++; eval() is a very dangerous statement and therefore you might want to disable
> ++; it completely. Deactivating it will however break lots of scripts. Because
> ++; every violation is logged, this allows finding all places where eval() is
> ++; used.
> ++;suhosin.executor.disable_eval = Off
> ++
> ++; The /e modifier inside preg_replace() allows code execution. Often it is the
> ++; cause for remote code execution exploits. It is wise to deactivate this
> ++; feature and test where in the application it is used. The developer using the
> ++; /e modifier should be made aware that he should use preg_replace_callback()
> ++; instead.
> ++;suhosin.executor.disable_emodifier = Off
> ++
> ++; This flag reactivates symlink() when open_basedir is used, which is disabled
> ++; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
> ++; is actually a security risk.
> ++;suhosin.executor.allow_symlink = Off
> ++
> ++; -----------------------------------------------------------------------------
> ++; Misc Options
> ++
> ++; If you fear that Suhosin breaks your application, you can activate Suhosin's
> ++; simulation mode with this flag. When Suhosin runs in simulation mode,
> ++; violations are logged as usual, but nothing is blocked or removed from the
> ++; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
> ++;suhosin.simulation = Off
> ++
> ++; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
> ++; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
> ++; will overwrite the information Suhosin stores in this slot. When this flag is
> ++; set Suhosin will request 2 Slots and use the second one. This allows working
> ++; correctly with these buggy APC versions.
> ++;suhosin.apc_bug_workaround = Off
> ++
> ++; When a SQL Query fails scripts often spit out a bunch of useful information
> ++; for possible attackers. When this configuration directive is turned on, the
> ++; script will silently terminate, after the problem has been logged. (This is
> ++; not yet supported)
> ++;suhosin.sql.bailout_on_error = Off
> ++
> ++; This is an experimental feature for shared environments. With this
> ++; configuration option it is possible to specify a prefix that is automatically
> ++; prepended to the database username, whenever a database connection is made.
> ++; (Unless the username starts with the prefix)
> ++;suhosin.sql.user_prefix =
> ++
> ++; This is an experimental feature for shared environments. With this
> ++; configuration option it is possible to specify a postfix that is
> ++; automatically appended to the database username, whenever a database
> ++; connection is made. (Unless the username end with the postfix)
> ++;
> ++; With this feature it is possible for shared hosters to disallow customers to
> ++; connect with the usernames of other customers. This feature is experimental,
> ++; because support for PDO and PostgreSQL are not yet implemented.
> ++;suhosin.sql.user_postfix =
> ++
> ++; This directive controls if multiple headers are allowed or not in a header()
> ++; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
> ++; multiple lines are still allowed).
> ++;suhosin.multiheader = Off
> ++
> ++; This directive controls if the mail() header protection is activated or not
> ++; and to what degree it is activated. The appended table lists the possible
> ++; activation levels.
> ++suhosin.mail.protect = 1
> ++
> ++; As long scripts are not running within safe_mode they are free to change the
> ++; memory_limit to whatever value they want. Suhosin changes this fact and
> ++; disallows setting the memory_limit to a value greater than the one the script
> ++; started with, when this option is left at 0. A value greater than 0 means
> ++; that Suhosin will disallows scripts setting the memory_limit to a value above
> ++; this configured hard limit. This is for example usefull if you want to run
> ++; the script normaly with a limit of 16M but image processing scripts may raise
> ++; it to 20M.
> ++;suhosin.memory_limit = 0
> ++
> ++; -----------------------------------------------------------------------------
> ++; Transparent Encryption Options
> ++
> ++; Flag that decides if the transparent session encryption is activated or not.
> ++;suhosin.session.encrypt = On
> ++
> ++; Session data can be encrypted transparently. The encryption key used consists
> ++; of this user defined string (which can be altered by a script via ini_set())
> ++; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
> ++; REMOTE_ADDR.
> ++;suhosin.session.cryptkey =
> ++
> ++; Flag that decides if the transparent session encryption key depends on the
> ++; User-Agent field. (When activated this feature transparently adds a little
> ++; bit protection against session fixation/hijacking attacks)
> ++;suhosin.session.cryptua = On
> ++
> ++; Flag that decides if the transparent session encryption key depends on the
> ++; Documentroot field.
> ++;suhosin.session.cryptdocroot = On
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
> ++; encryption key depends on. Keep in mind that this should not be used on sites
> ++; that have visitors from big ISPs, because their IP address often changes
> ++; during a session. But this feature might be interesting for admin interfaces
> ++; or intranets. When used wisely this is a transparent protection against
> ++; session hijacking/fixation.
> ++;suhosin.session.cryptraddr = 0
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> ++; session. The difference to suhosin.session.cryptaddr is, that the IP is not
> ++; part of the encryption key, so that the same session can be used for
> ++; different areas with different protection levels on the site.
> ++;suhosin.session.checkraddr = 0
> ++
> ++; Flag that decides if the transparent cookie encryption is activated or not.
> ++;suhosin.cookie.encrypt = 0
> ++
> ++; Cookies can be encrypted transparently. The encryption key used consists of
> ++; this user defined string and optionally the User-Agent, the Document-Root and
> ++; 0-4 Octects of the REMOTE_ADDR.
> ++;suhosin.cookie.cryptkey =
> ++
> ++; Flag that decides if the transparent session encryption key depends on the
> ++; User-Agent field. (When activated this feature transparently adds a little
> ++; bit protection against session fixation/hijacking attacks (if only session
> ++; cookies are allowed))
> ++;suhosin.cookie.cryptua = On
> ++
> ++; Flag that decides if the transparent cookie encryption key depends on the
> ++; Documentroot field.
> ++;suhosin.cookie.cryptdocroot = On
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
> ++; encryption key depends on. Keep in mind that this should not be used on sites
> ++; that have visitors from big ISPs, because their IP address often changes
> ++; during a session. But this feature might be interesting for admin interfaces
> ++; or intranets. When used wisely this is a transparent protection against
> ++; session hijacking/fixation.
> ++;suhosin.cookie.cryptraddr = 0
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> ++; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
> ++; part of the encryption key, so that the same cookie can be used for different
> ++; areas with different protection levels on the site.
> ++;suhosin.cookie.checkraddr = 0
> ++
> ++; In case not all cookies are supposed to get encrypted this is a comma
> ++; separated list of cookie names that should get encrypted. All other cookies
> ++; will not get touched.
> ++;suhosin.cookie.cryptlist =
> ++
> ++; In case some cookies should not be crypted this is a comma separated list of
> ++; cookies that do not get encrypted. All other cookies will be encrypted.
> ++;suhosin.cookie.plainlist =
> ++
> ++; -----------------------------------------------------------------------------
> ++; Filtering Options
> ++
> ++; Defines the reaction of Suhosin on a filter violation.
> ++;suhosin.filter.action =
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; the COOKIE.
> ++;suhosin.cookie.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; the COOKIE.
> ++;suhosin.cookie.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; the COOKIE. For array variables this is the name in front of the indices.
> ++;suhosin.cookie.max_name_length = 64
> ++
> ++; Defines the maximum length of the total variable name when registered through
> ++; the COOKIE. For array variables this includes all indices.
> ++;suhosin.cookie.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through the
> ++; COOKIE.
> ++;suhosin.cookie.max_value_length = 10000
> ++
> ++; Defines the maximum number of variables that may be registered through the
> ++; COOKIE.
> ++;suhosin.cookie.max_vars = 100
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.cookie.disallow_nul = 1
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; the URL
> ++;suhosin.get.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; the URL
> ++;suhosin.get.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; the URL. For array variables this is the name in front of the indices.
> ++;suhosin.get.max_name_length = 64
> ++
> ++; Defines the maximum length of the total variable name when registered through
> ++; the URL. For array variables this includes all indices.
> ++;suhosin.get.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through the URL.
> ++;suhosin.get.max_value_length = 512
> ++
> ++; Defines the maximum number of variables that may be registered through the
> ++; URL.
> ++;suhosin.get.max_vars = 100
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.get.disallow_nul = 1
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; a POST request.
> ++;suhosin.post.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; a POST request.
> ++;suhosin.post.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; a POST request. For array variables this is the name in front of the indices.
> ++;suhosin.post.max_name_length = 64
> ++
> ++; Defines the maximum length of the total variable name when registered through
> ++; a POST request. For array variables this includes all indices.
> ++;suhosin.post.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through a POST
> ++; request.
> ++;suhosin.post.max_value_length = 1000000
> ++
> ++; Defines the maximum number of variables that may be registered through a POST
> ++; request.
> ++;suhosin.post.max_vars = 1000
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.post.disallow_nul = 1
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; GET , POST or COOKIE. This setting is also an upper limit for the separate
> ++; GET, POST, COOKIE configuration directives.
> ++;suhosin.request.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; GET, POST or COOKIE. This setting is also an upper limit for the separate
> ++; GET, POST, COOKIE configuration directives.
> ++;suhosin.request.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; the COOKIE, the URL or through a POST request. This is the complete name
> ++; string, including all indicies. This setting is also an upper limit for the
> ++; separate GET, POST, COOKIE configuration directives.
> ++;suhosin.request.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through the
> ++; COOKIE, the URL or through a POST request. This setting is also an upper
> ++; limit for the variable origin specific configuration directives.
> ++;suhosin.request.max_value_length = 1000000
> ++
> ++; Defines the maximum number of variables that may be registered through the
> ++; COOKIE, the URL or through a POST request. This setting is also an upper
> ++; limit for the variable origin specific configuration directives.
> ++;suhosin.request.max_vars = 1000
> ++
> ++; Defines the maximum name length (excluding possible array indicies) of
> ++; variables that may be registered through the COOKIE, the URL or through a
> ++; POST request. This setting is also an upper limit for the variable origin
> ++; specific configuration directives.
> ++;suhosin.request.max_varname_length = 64
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.request.disallow_nul = 1
> ++
> ++; When set to On the dangerous characters <>"'` are urlencoded when found
> ++; not encoded in the server variables REQUEST_URI and QUERY_STRING. This
> ++; will protect against some XSS vulnerabilities.
> ++;suhosin.server.encode = 1
> ++
> ++; When set to On the dangerous characters <>"'` are replaced with ? in
> ++; the server variables PHP_SELF, PATH_TRANSLATED and PATH_INFO. This will
> ++; protect against some XSS vulnerabilities.
> ++;suhosin.server.strip = 1
> ++
> ++; Defines the maximum number of files that may be uploaded with one request.
> ++;suhosin.upload.max_uploads = 25
> ++
> ++; When set to On it is not possible to upload ELF executables.
> ++;suhosin.upload.disallow_elf = 1
> ++
> ++; When set to On it is not possible to upload binary files.
> ++;suhosin.upload.disallow_binary = 0
> ++
> ++; When set to On binary content is removed from the uploaded files.
> ++;suhosin.upload.remove_binary = 0
> ++
> ++; This defines the full path to a verification script for uploaded files. The
> ++; script gets the temporary filename supplied and has to decide if the upload
> ++; is allowed. A possible application for this is to scan uploaded files for
> ++; viruses. The called script has to write a 1 as first line to standard output
> ++; to allow the upload. Any other value or no output at all will result in the
> ++; file being deleted.
> ++;suhosin.upload.verification_script =
> ++
> ++; Specifies the maximum length of the session identifier that is allowed. When
> ++; a longer session identifier is passed a new session identifier will be
> ++; created. This feature is important to fight bufferoverflows in 3rd party
> ++; session handlers.
> ++;suhosin.session.max_id_length = 128
> ++
> ++; Undocumented: Controls if suhosin coredumps when the optional suhosin patch
> ++; detects a bufferoverflow, memory corruption or double free. This is only
> ++; for debugging purposes and should not be activated.
> ++;suhosin.coredump = Off
> ++
> ++; Undocumented: Controls if the encryption keys specified by the configuration
> ++; are shown in the phpinfo() output or if they are hidden from it
> ++;suhosin.protectkey = 1
> ++
> ++; Controls if suhosin loads in stealth mode when it is not the only
> ++; zend_extension (Required for full compatibility with certain encoders
> ++;  that consider open source untrusted. e.g. ionCube, Zend)
> ++;suhosin.stealth = 1
> ++
> ++; Controls if suhosin's ini directives are changeable per directory
> ++; because the admin might want to allow some features to be controlable
> ++; by .htaccess and some not. For example the logging capabilities can
> ++; break safemode and open_basedir restrictions when .htaccess support is
> ++; allowed and the admin forgot to fix their values in httpd.conf
> ++; An empty value or a 0 will result in all directives not allowed in
> ++; .htaccess. The string "legcprsum" will allow logging, execution, get,
> ++; post, cookie, request, sql, upload, misc features in .htaccess
> ++;suhosin.perdir = "0"
> Index: patches/patch-php_ini-dist
> ===================================================================
> RCS file: /cvs/ports/www/php5/patches/patch-php_ini-dist,v
> retrieving revision 1.13
> diff -N -u -r1.13 patches/patch-php_ini-dist
> --- patches/patch-php_ini-dist 14 Nov 2007 10:53:50 -0000 1.13
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,569 +0,0 @@
> -$OpenBSD: patch-php_ini-dist,v 1.13 2007/11/14 10:53:50 robert Exp $
> ---- php.ini-dist.orig Wed Aug 22 01:24:18 2007
> -+++ php.ini-dist Tue Nov 13 11:53:18 2007
> -@@ -466,10 +466,7 @@ default_mimetype = "text/html"
> - ;;;;;;;;;;;;;;;;;;;;;;;;;
> -
> - ; UNIX: "/path1:/path2"
> --;include_path = ".:/php/includes"
> --;
> --; Windows: "\path1;\path2"
> --;include_path = ".;c:\php\includes"
> -+include_path = ".:OPENBSD_INCLUDE_PATH"
> -
> - ; The root of the PHP pages, used only if nonempty.
> - ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
> -@@ -483,7 +480,7 @@ doc_root =
> - user_dir =
> -
> - ; Directory in which the loadable extensions (modules) reside.
> --extension_dir = "./"
> -+extension_dir = "MODULES_DIR"
> -
> - ; Whether or not to enable the dl() function.  The dl() function does NOT work
> - ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
> -@@ -552,7 +549,7 @@ upload_max_filesize = 2M
> - ;;;;;;;;;;;;;;;;;;
> -
> - ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
> --allow_url_fopen = On
> -+allow_url_fopen = Off
> -
> - ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
> - allow_url_include = Off
> -@@ -573,81 +570,6 @@ default_socket_timeout = 60
> - ; fgets() and file() will work regardless of the source of the file.
> - ; auto_detect_line_endings = Off
> -
> --
> --;;;;;;;;;;;;;;;;;;;;;;
> --; Dynamic Extensions ;
> --;;;;;;;;;;;;;;;;;;;;;;
> --;
> --; If you wish to have an extension loaded automatically, use the following
> --; syntax:
> --;
> --;   extension=modulename.extension
> --;
> --; For example, on Windows:
> --;
> --;   extension=msql.dll
> --;
> --; ... or under UNIX:
> --;
> --;   extension=msql.so
> --;
> --; Note that it should be the name of the module only; no directory information
> --; needs to go here.  Specify the location of the extension with the
> --; extension_dir directive above.
> --
> --
> --; Windows Extensions
> --; Note that ODBC support is built in, so no dll is needed for it.
> --; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
> --; extension folders as well as the separate PECL DLL download (PHP 5).
> --; Be sure to appropriately set the extension_dir directive.
> --
> --;extension=php_bz2.dll
> --;extension=php_curl.dll
> --;extension=php_dba.dll
> --;extension=php_dbase.dll
> --;extension=php_exif.dll
> --;extension=php_fdf.dll
> --;extension=php_gd2.dll
> --;extension=php_gettext.dll
> --;extension=php_gmp.dll
> --;extension=php_ifx.dll
> --;extension=php_imap.dll
> --;extension=php_interbase.dll
> --;extension=php_ldap.dll
> --;extension=php_mbstring.dll
> --;extension=php_mcrypt.dll
> --;extension=php_mhash.dll
> --;extension=php_mime_magic.dll
> --;extension=php_ming.dll
> --;extension=php_msql.dll
> --;extension=php_mssql.dll
> --;extension=php_mysql.dll
> --;extension=php_mysqli.dll
> --;extension=php_oci8.dll
> --;extension=php_openssl.dll
> --;extension=php_pdo.dll
> --;extension=php_pdo_firebird.dll
> --;extension=php_pdo_mssql.dll
> --;extension=php_pdo_mysql.dll
> --;extension=php_pdo_oci.dll
> --;extension=php_pdo_oci8.dll
> --;extension=php_pdo_odbc.dll
> --;extension=php_pdo_pgsql.dll
> --;extension=php_pdo_sqlite.dll
> --;extension=php_pgsql.dll
> --;extension=php_pspell.dll
> --;extension=php_shmop.dll
> --;extension=php_snmp.dll
> --;extension=php_soap.dll
> --;extension=php_sockets.dll
> --;extension=php_sqlite.dll
> --;extension=php_sybase_ct.dll
> --;extension=php_tidy.dll
> --;extension=php_xmlrpc.dll
> --;extension=php_xsl.dll
> --;extension=php_zip.dll
> --
> - ;;;;;;;;;;;;;;;;;;;
> - ; Module Settings ;
> - ;;;;;;;;;;;;;;;;;;;
> -@@ -695,13 +617,6 @@ default_socket_timeout = 60
> - define_syslog_variables  = Off
> -
> - [mail function]
> --; For Win32 only.
> --SMTP = localhost
> --smtp_port = 25
> --
> --; For Win32 only.
> --;sendmail_from = [hidden email]
> --
> - ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
> - ;sendmail_path =
> -
> -@@ -1277,6 +1192,436 @@ soap.wsdl_cache_dir="/tmp"
> - ; instead of original one.
> - soap.wsdl_cache_ttl=86400
> -
> --; Local Variables:
> --; tab-width: 4
> --; End:
> -+[suhosin]
> -+; Logging Options
> -+
> -+; Defines what classes of security alerts are logged to the syslog daemon.
> -+; Logging of errors of the class S_MEMORY are always logged to syslog, no
> -+; matter what this configuration says, because a corrupted heap could mean that
> -+; the other logging options will malfunction during the logging process.
> -+;suhosin.log.syslog =
> -+
> -+; Defines the syslog facility that is used when ALERTs are logged to syslog.
> -+;suhosin.log.syslog.facility =
> -+
> -+; Defines the syslog priority that is used when ALERTs are logged to syslog.
> -+;suhosin.log.syslog.priority =
> -+
> -+; Defines what classes of security alerts are logged through the SAPI error log.
> -+;suhosin.log.sapi =
> -+
> -+; Defines what classes of security alerts are logged through the external
> -+; logging.
> -+;suhosin.log.script =
> -+
> -+; Defines what classes of security alerts are logged through the defined PHP
> -+; script.
> -+;suhosin.log.phpscript = 0
> -+
> -+; Defines the full path to a external logging script. The script is called with
> -+; 2 parameters. The first one is the alert class in string notation and the
> -+; second parameter is the log message. This can be used for example to mail
> -+; failing MySQL queries to your email address, because on a production system
> -+; these things should never happen.
> -+;suhosin.log.script.name =
> -+
> -+; Defines the full path to a PHP logging script. The script is called with 2
> -+; variables registered in the current scope: SUHOSIN_ERRORCLASS and
> -+; SUHOSIN_ERROR. The first one is the alert class and the second variable is
> -+; the log message. This can be used for example to mail attempted remote URL
> -+; include attacks to your email address.
> -+;suhosin.log.phpscript.name =
> -+
> -+; Undocumented
> -+;suhosin.log.phpscript.is_safe = Off
> -+
> -+; When the Hardening-Patch logs an error the log message also contains the IP
> -+; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
> -+; environment variable. With this switch it is possible to change this behavior
> -+; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
> -+; when your PHP server runs behind a reverse proxy.
> -+;suhosin.log.use-x-forwarded-for = Off
> -+
> -+; -----------------------------------------------------------------------------
> -+; Executor Options
> -+
> -+; Defines the maximum stack depth allowed by the executor before it stops the
> -+; script. Without this function an endless recursion in a PHP script could
> -+; crash the PHP executor or trigger the configured memory_limit. A value of
> -+; "0" disables this feature.
> -+;suhosin.executor.max_depth = 0
> -+
> -+; Defines how many "../" an include filename needs to contain to be considered
> -+; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
> -+; value of "3" will allow it. Most PHP applications should work flawlessly with
> -+; values "4" or "5". A value of "0" disables this feature.
> -+;suhosin.executor.include.max_traversal = 0
> -+
> -+; Comma separated whitelist of URL schemes that are allowed to be included from
> -+; include or require statements. Additionally to URL schemes it is possible to
> -+; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
> -+; specified, then the blacklist is evaluated.
> -+;suhosin.executor.include.whitelist =
> -+
> -+; Comma separated blacklist of URL schemes that are not allowed to be included
> -+; from include or require statements. Additionally to URL schemes it is
> -+; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
> -+; blacklist and no whitelist is specified all URL schemes are forbidden.
> -+;suhosin.executor.include.blacklist =
> -+
> -+; Comma separated whitelist of functions that are allowed to be called. If the
> -+; whitelist is empty the blacklist is evaluated, otherwise calling a function
> -+; not in the whitelist will terminate the script and get logged.
> -+;suhosin.executor.func.whitelist =
> -+
> -+; Comma separated blacklist of functions that are not allowed to be called. If
> -+; no whitelist is given, calling a function within the blacklist will terminate
> -+; the script and get logged.
> -+;suhosin.executor.func.blacklist =
> -+
> -+; Comma separated whitelist of functions that are allowed to be called from
> -+; within eval(). If the whitelist is empty the blacklist is evaluated,
> -+; otherwise calling a function not in the whitelist will terminate the script
> -+; and get logged.
> -+;suhosin.executor.eval.whitelist =
> -+
> -+; Comma separated blacklist of functions that are not allowed to be called from
> -+; within eval(). If no whitelist is given, calling a function within the
> -+; blacklist will terminate the script and get logged.
> -+;suhosin.executor.eval.blacklist =
> -+
> -+; eval() is a very dangerous statement and therefore you might want to disable
> -+; it completely. Deactivating it will however break lots of scripts. Because
> -+; every violation is logged, this allows finding all places where eval() is
> -+; used.
> -+;suhosin.executor.disable_eval = Off
> -+
> -+; The /e modifier inside preg_replace() allows code execution. Often it is the
> -+; cause for remote code execution exploits. It is wise to deactivate this
> -+; feature and test where in the application it is used. The developer using the
> -+; /e modifier should be made aware that he should use preg_replace_callback()
> -+; instead.
> -+;suhosin.executor.disable_emodifier = Off
> -+
> -+; This flag reactivates symlink() when open_basedir is used, which is disabled
> -+; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
> -+; is actually a security risk.
> -+;suhosin.executor.allow_symlink = Off
> -+
> -+; -----------------------------------------------------------------------------
> -+; Misc Options
> -+
> -+; If you fear that Suhosin breaks your application, you can activate Suhosin's
> -+; simulation mode with this flag. When Suhosin runs in simulation mode,
> -+; violations are logged as usual, but nothing is blocked or removed from the
> -+; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
> -+;suhosin.simulation = Off
> -+
> -+; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
> -+; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
> -+; will overwrite the information Suhosin stores in this slot. When this flag is
> -+; set Suhosin will request 2 Slots and use the second one. This allows working
> -+; correctly with these buggy APC versions.
> -+;suhosin.apc_bug_workaround = Off
> -+
> -+; When a SQL Query fails scripts often spit out a bunch of useful information
> -+; for possible attackers. When this configuration directive is turned on, the
> -+; script will silently terminate, after the problem has been logged. (This is
> -+; not yet supported)
> -+;suhosin.sql.bailout_on_error = Off
> -+
> -+; This is an experimental feature for shared environments. With this
> -+; configuration option it is possible to specify a prefix that is automatically
> -+; prepended to the database username, whenever a database connection is made.
> -+; (Unless the username starts with the prefix)
> -+;suhosin.sql.user_prefix =
> -+
> -+; This is an experimental feature for shared environments. With this
> -+; configuration option it is possible to specify a postfix that is
> -+; automatically appended to the database username, whenever a database
> -+; connection is made. (Unless the username end with the postfix)
> -+;
> -+; With this feature it is possible for shared hosters to disallow customers to
> -+; connect with the usernames of other customers. This feature is experimental,
> -+; because support for PDO and PostgreSQL are not yet implemented.
> -+;suhosin.sql.user_postfix =
> -+
> -+; This directive controls if multiple headers are allowed or not in a header()
> -+; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
> -+; multiple lines are still allowed).
> -+;suhosin.multiheader = Off
> -+
> -+; This directive controls if the mail() header protection is activated or not
> -+; and to what degree it is activated. The appended table lists the possible
> -+; activation levels.
> -+suhosin.mail.protect = 1
> -+
> -+; As long scripts are not running within safe_mode they are free to change the
> -+; memory_limit to whatever value they want. Suhosin changes this fact and
> -+; disallows setting the memory_limit to a value greater than the one the script
> -+; started with, when this option is left at 0. A value greater than 0 means
> -+; that Suhosin will disallows scripts setting the memory_limit to a value above
> -+; this configured hard limit. This is for example usefull if you want to run
> -+; the script normaly with a limit of 16M but image processing scripts may raise
> -+; it to 20M.
> -+;suhosin.memory_limit = 0
> -+
> -+; -----------------------------------------------------------------------------
> -+; Transparent Encryption Options
> -+
> -+; Flag that decides if the transparent session encryption is activated or not.
> -+;suhosin.session.encrypt = On
> -+
> -+; Session data can be encrypted transparently. The encryption key used consists
> -+; of this user defined string (which can be altered by a script via ini_set())
> -+; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
> -+; REMOTE_ADDR.
> -+;suhosin.session.cryptkey =
> -+
> -+; Flag that decides if the transparent session encryption key depends on the
> -+; User-Agent field. (When activated this feature transparently adds a little
> -+; bit protection against session fixation/hijacking attacks)
> -+;suhosin.session.cryptua = On
> -+
> -+; Flag that decides if the transparent session encryption key depends on the
> -+; Documentroot field.
> -+;suhosin.session.cryptdocroot = On
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
> -+; encryption key depends on. Keep in mind that this should not be used on sites
> -+; that have visitors from big ISPs, because their IP address often changes
> -+; during a session. But this feature might be interesting for admin interfaces
> -+; or intranets. When used wisely this is a transparent protection against
> -+; session hijacking/fixation.
> -+;suhosin.session.cryptraddr = 0
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> -+; session. The difference to suhosin.session.cryptaddr is, that the IP is not
> -+; part of the encryption key, so that the same session can be used for
> -+; different areas with different protection levels on the site.
> -+;suhosin.session.checkraddr = 0
> -+
> -+; Flag that decides if the transparent cookie encryption is activated or not.
> -+;suhosin.cookie.encrypt = 0
> -+
> -+; Cookies can be encrypted transparently. The encryption key used consists of
> -+; this user defined string and optionally the User-Agent, the Document-Root and
> -+; 0-4 Octects of the REMOTE_ADDR.
> -+;suhosin.cookie.cryptkey =
> -+
> -+; Flag that decides if the transparent session encryption key depends on the
> -+; User-Agent field. (When activated this feature transparently adds a little
> -+; bit protection against session fixation/hijacking attacks (if only session
> -+; cookies are allowed))
> -+;suhosin.cookie.cryptua = On
> -+
> -+; Flag that decides if the transparent cookie encryption key depends on the
> -+; Documentroot field.
> -+;suhosin.cookie.cryptdocroot = On
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
> -+; encryption key depends on. Keep in mind that this should not be used on sites
> -+; that have visitors from big ISPs, because their IP address often changes
> -+; during a session. But this feature might be interesting for admin interfaces
> -+; or intranets. When used wisely this is a transparent protection against
> -+; session hijacking/fixation.
> -+;suhosin.cookie.cryptraddr = 0
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> -+; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
> -+; part of the encryption key, so that the same cookie can be used for different
> -+; areas with different protection levels on the site.
> -+;suhosin.cookie.checkraddr = 0
> -+
> -+; In case not all cookies are supposed to get encrypted this is a comma
> -+; separated list of cookie names that should get encrypted. All other cookies
> -+; will not get touched.
> -+;suhosin.cookie.cryptlist =
> -+
> -+; In case some cookies should not be crypted this is a comma separated list of
> -+; cookies that do not get encrypted. All other cookies will be encrypted.
> -+;suhosin.cookie.plainlist =
> -+
> -+; -----------------------------------------------------------------------------
> -+; Filtering Options
> -+
> -+; Defines the reaction of Suhosin on a filter violation.
> -+;suhosin.filter.action =
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; the COOKIE.
> -+;suhosin.cookie.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; the COOKIE.
> -+;suhosin.cookie.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; the COOKIE. For array variables this is the name in front of the indices.
> -+;suhosin.cookie.max_name_length = 64
> -+
> -+; Defines the maximum length of the total variable name when registered through
> -+; the COOKIE. For array variables this includes all indices.
> -+;suhosin.cookie.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through the
> -+; COOKIE.
> -+;suhosin.cookie.max_value_length = 10000
> -+
> -+; Defines the maximum number of variables that may be registered through the
> -+; COOKIE.
> -+;suhosin.cookie.max_vars = 100
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.cookie.disallow_nul = 1
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; the URL
> -+;suhosin.get.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; the URL
> -+;suhosin.get.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; the URL. For array variables this is the name in front of the indices.
> -+;suhosin.get.max_name_length = 64
> -+
> -+; Defines the maximum length of the total variable name when registered through
> -+; the URL. For array variables this includes all indices.
> -+;suhosin.get.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through the URL.
> -+;suhosin.get.max_value_length = 512
> -+
> -+; Defines the maximum number of variables that may be registered through the
> -+; URL.
> -+;suhosin.get.max_vars = 100
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.get.disallow_nul = 1
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; a POST request.
> -+;suhosin.post.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; a POST request.
> -+;suhosin.post.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; a POST request. For array variables this is the name in front of the indices.
> -+;suhosin.post.max_name_length = 64
> -+
> -+; Defines the maximum length of the total variable name when registered through
> -+; a POST request. For array variables this includes all indices.
> -+;suhosin.post.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through a POST
> -+; request.
> -+;suhosin.post.max_value_length = 65000
> -+
> -+; Defines the maximum number of variables that may be registered through a POST
> -+; request.
> -+;suhosin.post.max_vars = 200
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.post.disallow_nul = 1
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; GET , POST or COOKIE. This setting is also an upper limit for the separate
> -+; GET, POST, COOKIE configuration directives.
> -+;suhosin.request.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; GET, POST or COOKIE. This setting is also an upper limit for the separate
> -+; GET, POST, COOKIE configuration directives.
> -+;suhosin.request.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; the COOKIE, the URL or through a POST request. This is the complete name
> -+; string, including all indicies. This setting is also an upper limit for the
> -+; separate GET, POST, COOKIE configuration directives.
> -+;suhosin.request.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through the
> -+; COOKIE, the URL or through a POST request. This setting is also an upper
> -+; limit for the variable origin specific configuration directives.
> -+;suhosin.request.max_value_length = 65000
> -+
> -+; Defines the maximum number of variables that may be registered through the
> -+; COOKIE, the URL or through a POST request. This setting is also an upper
> -+; limit for the variable origin specific configuration directives.
> -+;suhosin.request.max_vars = 200
> -+
> -+; Defines the maximum name length (excluding possible array indicies) of
> -+; variables that may be registered through the COOKIE, the URL or through a
> -+; POST request. This setting is also an upper limit for the variable origin
> -+; specific configuration directives.
> -+;suhosin.request.max_varname_length = 64
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.request.disallow_nul = 1
> -+
> -+; Defines the maximum number of files that may be uploaded with one request.
> -+;suhosin.upload.max_uploads = 25
> -+
> -+; When set to On it is not possible to upload ELF executables.
> -+;suhosin.upload.disallow_elf = 1
> -+
> -+; When set to On it is not possible to upload binary files.
> -+;suhosin.upload.disallow_binary = 0
> -+
> -+; When set to On binary content is removed from the uploaded files.
> -+;suhosin.upload.remove_binary = 0
> -+
> -+; This defines the full path to a verification script for uploaded files. The
> -+; script gets the temporary filename supplied and has to decide if the upload
> -+; is allowed. A possible application for this is to scan uploaded files for
> -+; viruses. The called script has to write a 1 as first line to standard output
> -+; to allow the upload. Any other value or no output at all will result in the
> -+; file being deleted.
> -+;suhosin.upload.verification_script =
> -+
> -+; Specifies the maximum length of the session identifier that is allowed. When
> -+; a longer session identifier is passed a new session identifier will be
> -+; created. This feature is important to fight bufferoverflows in 3rd party
> -+; session handlers.
> -+;suhosin.session.max_id_length = 128
> -+
> -+; Undocumented: Controls if suhosin coredumps when the optional suhosin patch
> -+; detects a bufferoverflow, memory corruption or double free. This is only
> -+; for debugging purposes and should not be activated.
> -+;suhosin.coredump = Off
> -+
> -+; Undocumented: Controls if the encryption keys specified by the configuration
> -+; are shown in the phpinfo() output or if they are hidden from it
> -+;suhosin.protectkey = 1
> -+
> -+; Controls if suhosin loads in stealth mode when it is not the only
> -+; zend_extension (Required for full compatibility with certain encoders
> -+;  that consider open source untrusted. e.g. ionCube, Zend)
> -+;suhosin.stealth = 1
> -+
> -+; Controls if suhosin's ini directives are changeable per directory
> -+; because the admin might want to allow some features to be controlable
> -+; by .htaccess and some not. For example the logging capabilities can
> -+; break safemode and open_basedir restrictions when .htaccess support is
> -+; allowed and the admin forgot to fix their values in httpd.conf
> -+; An empty value or a 0 will result in all directives not allowed in
> -+; .htaccess. The string "legcprsum" will allow logging, execution, get,
> -+; post, cookie, request, sql, upload, misc features in .htaccess
> -+;suhosin.perdir = "0"
> -+
> -+;;;;;;;;;;;;;;;;;;;;;;
> -+; Dynamic Extensions ;
> -+;;;;;;;;;;;;;;;;;;;;;;
> -+;
> -+; If you wish to have an extension loaded automatically, use the following
> -+; syntax:
> -+;
> -+;   extension=modulename.so
> -+;
> -+; Note that it should be the name of the module only; no directory information
> -+; needs to go here.  Specify the location of the extension with the
> -+; extension_dir directive above.
> Index: patches/patch-php_ini-production
> ===================================================================
> RCS file: patches/patch-php_ini-production
> diff -N -u patches/patch-php_ini-production
> --- /dev/null 1 Dec 2009 15:42:32 -0000
> +++ patches/patch-php_ini-production 1 Dec 2009 22:42:31 -0000
> @@ -0,0 +1,576 @@
> +--- php.ini-production.orig Thu Nov 12 20:20:01 2009
> ++++ php.ini-production Tue Dec  1 15:47:37 2009
> +@@ -781,11 +781,8 @@
> + ;;;;;;;;;;;;;;;;;;;;;;;;;
> +
> + ; UNIX: "/path1:/path2"
> +-;include_path = ".:/php/includes"
> ++include_path = ".:OPENBSD_INCLUDE_PATH"
> + ;
> +-; Windows: "\path1;\path2"
> +-;include_path = ".;c:\php\includes"
> +-;
> + ; PHP's default setting for include_path is ".;/path/to/php/pear"
> + ; http://php.net/include-path
> +
> +@@ -804,9 +801,7 @@
> +
> + ; Directory in which the loadable extensions (modules) reside.
> + ; http://php.net/extension-dir
> +-; extension_dir = "./"
> +-; On windows:
> +-; extension_dir = "ext"
> ++extension_dir = "MODULES_DIR"
> +
> + ; Whether or not to enable the dl() function.  The dl() function does NOT work
> + ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
> +@@ -887,7 +882,7 @@
> +
> + ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
> + ; http://php.net/allow-url-fopen
> +-allow_url_fopen = On
> ++allow_url_fopen = Off
> +
> + ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
> + ; http://php.net/allow-url-include
> +@@ -914,78 +909,6 @@
> + ; http://php.net/auto-detect-line-endings
> + ;auto_detect_line_endings = Off
> +
> +-;;;;;;;;;;;;;;;;;;;;;;
> +-; Dynamic Extensions ;
> +-;;;;;;;;;;;;;;;;;;;;;;
> +-
> +-; If you wish to have an extension loaded automatically, use the following
> +-; syntax:
> +-;
> +-;   extension=modulename.extension
> +-;
> +-; For example, on Windows:
> +-;
> +-;   extension=msql.dll
> +-;
> +-; ... or under UNIX:
> +-;
> +-;   extension=msql.so
> +-;
> +-; ... or with a path:
> +-;
> +-;   extension=/path/to/extension/msql.so
> +-;
> +-; If you only provide the name of the extension, PHP will look for it in its
> +-; default extension directory.
> +-;
> +-; Windows Extensions
> +-; Note that ODBC support is built in, so no dll is needed for it.
> +-; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
> +-; extension folders as well as the separate PECL DLL download (PHP 5).
> +-; Be sure to appropriately set the extension_dir directive.
> +-;
> +-;extension=php_bz2.dll
> +-;extension=php_curl.dll
> +-;extension=php_dba.dll
> +-;extension=php_exif.dll
> +-;extension=php_fileinfo.dll
> +-;extension=php_gd2.dll
> +-;extension=php_gettext.dll
> +-;extension=php_gmp.dll
> +-;extension=php_intl.dll
> +-;extension=php_imap.dll
> +-;extension=php_interbase.dll
> +-;extension=php_ldap.dll
> +-;extension=php_mbstring.dll
> +-;extension=php_ming.dll
> +-;extension=php_mssql.dll
> +-;extension=php_mysql.dll
> +-;extension=php_mysqli.dll
> +-;extension=php_oci8.dll      ; Use with Oracle 10gR2 Instant Client
> +-;extension=php_oci8_11g.dll  ; Use with Oracle 11g Instant Client
> +-;extension=php_openssl.dll
> +-;extension=php_pdo_firebird.dll
> +-;extension=php_pdo_mssql.dll
> +-;extension=php_pdo_mysql.dll
> +-;extension=php_pdo_oci.dll
> +-;extension=php_pdo_odbc.dll
> +-;extension=php_pdo_pgsql.dll
> +-;extension=php_pdo_sqlite.dll
> +-;extension=php_pgsql.dll
> +-;extension=php_phar.dll
> +-;extension=php_pspell.dll
> +-;extension=php_shmop.dll
> +-;extension=php_snmp.dll
> +-;extension=php_soap.dll
> +-;extension=php_sockets.dll
> +-;extension=php_sqlite.dll
> +-;extension=php_sqlite3.dll
> +-;extension=php_sybase_ct.dll
> +-;extension=php_tidy.dll
> +-;extension=php_xmlrpc.dll
> +-;extension=php_xsl.dll
> +-;extension=php_zip.dll
> +-
> + ;;;;;;;;;;;;;;;;;;;
> + ; Module Settings ;
> + ;;;;;;;;;;;;;;;;;;;
> +@@ -1079,16 +1002,6 @@
> + define_syslog_variables  = Off
> +
> + [mail function]
> +-; For Win32 only.
> +-; http://php.net/smtp
> +-SMTP = localhost
> +-; http://php.net/smtp-port
> +-smtp_port = 25
> +-
> +-; For Win32 only.
> +-; http://php.net/sendmail-from
> +-;sendmail_from = [hidden email]
> +-
> + ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
> + ; http://php.net/sendmail-path
> + ;sendmail_path =
> +@@ -1895,6 +1808,441 @@
> + [dba]
> + ;dba.default_handler=
> +
> +-; Local Variables:
> +-; tab-width: 4
> +-; End:
> ++[suhosin]
> ++
> ++; -----------------------------------------------------------------------------
> ++; Logging Options
> ++
> ++; Defines what classes of security alerts are logged to the syslog daemon.
> ++; Logging of errors of the class S_MEMORY are always logged to syslog, no
> ++; matter what this configuration says, because a corrupted heap could mean that
> ++; the other logging options will malfunction during the logging process.
> ++;suhosin.log.syslog =
> ++
> ++; Defines the syslog facility that is used when ALERTs are logged to syslog.
> ++;suhosin.log.syslog.facility =
> ++
> ++; Defines the syslog priority that is used when ALERTs are logged to syslog.
> ++;suhosin.log.syslog.priority =
> ++
> ++; Defines what classes of security alerts are logged through the SAPI error log.
> ++;suhosin.log.sapi =
> ++
> ++; Defines what classes of security alerts are logged through the external
> ++; logging.
> ++;suhosin.log.script =
> ++
> ++; Defines what classes of security alerts are logged through the defined PHP
> ++; script.
> ++;suhosin.log.phpscript = 0
> ++
> ++; Defines the full path to a external logging script. The script is called with
> ++; 2 parameters. The first one is the alert class in string notation and the
> ++; second parameter is the log message. This can be used for example to mail
> ++; failing MySQL queries to your email address, because on a production system
> ++; these things should never happen.
> ++;suhosin.log.script.name =
> ++
> ++; Defines the full path to a PHP logging script. The script is called with 2
> ++; variables registered in the current scope: SUHOSIN_ERRORCLASS and
> ++; SUHOSIN_ERROR. The first one is the alert class and the second variable is
> ++; the log message. This can be used for example to mail attempted remote URL
> ++; include attacks to your email address.
> ++;suhosin.log.phpscript.name =
> ++
> ++; Undocumented
> ++;suhosin.log.phpscript.is_safe = Off
> ++
> ++; When the Hardening-Patch logs an error the log message also contains the IP
> ++; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
> ++; environment variable. With this switch it is possible to change this behavior
> ++; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
> ++; when your PHP server runs behind a reverse proxy.
> ++;suhosin.log.use-x-forwarded-for = Off
> ++
> ++; -----------------------------------------------------------------------------
> ++; Executor Options
> ++
> ++; Defines the maximum stack depth allowed by the executor before it stops the
> ++; script. Without this function an endless recursion in a PHP script could
> ++; crash the PHP executor or trigger the configured memory_limit. A value of
> ++; "0" disables this feature.
> ++;suhosin.executor.max_depth = 0
> ++
> ++; Defines how many "../" an include filename needs to contain to be considered
> ++; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
> ++; value of "3" will allow it. Most PHP applications should work flawlessly with
> ++; values "4" or "5". A value of "0" disables this feature.
> ++;suhosin.executor.include.max_traversal = 0
> ++
> ++; Comma separated whitelist of URL schemes that are allowed to be included from
> ++; include or require statements. Additionally to URL schemes it is possible to
> ++; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
> ++; specified, then the blacklist is evaluated.
> ++;suhosin.executor.include.whitelist =
> ++
> ++; Comma separated blacklist of URL schemes that are not allowed to be included
> ++; from include or require statements. Additionally to URL schemes it is
> ++; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
> ++; blacklist and no whitelist is specified all URL schemes are forbidden.
> ++;suhosin.executor.include.blacklist =
> ++
> ++; Defines if PHP is allows to run code from files that are writable by the
> ++; current process. If a file is created or modified by a PHP process, there
> ++; is a potential danger of code injection. Only turn this on if you are sure
> ++; that your application does not require writable PHP files.
> ++;suhosin.executor.include.allow_writable_files = On
> ++
> ++; Comma separated whitelist of functions that are allowed to be called. If the
> ++; whitelist is empty the blacklist is evaluated, otherwise calling a function
> ++; not in the whitelist will terminate the script and get logged.
> ++;suhosin.executor.func.whitelist =
> ++
> ++; Comma separated blacklist of functions that are not allowed to be called. If
> ++; no whitelist is given, calling a function within the blacklist will terminate
> ++; the script and get logged.
> ++;suhosin.executor.func.blacklist =
> ++
> ++; Comma separated whitelist of functions that are allowed to be called from
> ++; within eval(). If the whitelist is empty the blacklist is evaluated,
> ++; otherwise calling a function not in the whitelist will terminate the script
> ++; and get logged.
> ++;suhosin.executor.eval.whitelist =
> ++
> ++; Comma separated blacklist of functions that are not allowed to be called from
> ++; within eval(). If no whitelist is given, calling a function within the
> ++; blacklist will terminate the script and get logged.
> ++;suhosin.executor.eval.blacklist =
> ++
> ++; eval() is a very dangerous statement and therefore you might want to disable
> ++; it completely. Deactivating it will however break lots of scripts. Because
> ++; every violation is logged, this allows finding all places where eval() is
> ++; used.
> ++;suhosin.executor.disable_eval = Off
> ++
> ++; The /e modifier inside preg_replace() allows code execution. Often it is the
> ++; cause for remote code execution exploits. It is wise to deactivate this
> ++; feature and test where in the application it is used. The developer using the
> ++; /e modifier should be made aware that he should use preg_replace_callback()
> ++; instead.
> ++;suhosin.executor.disable_emodifier = Off
> ++
> ++; This flag reactivates symlink() when open_basedir is used, which is disabled
> ++; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
> ++; is actually a security risk.
> ++;suhosin.executor.allow_symlink = Off
> ++
> ++; -----------------------------------------------------------------------------
> ++; Misc Options
> ++
> ++; If you fear that Suhosin breaks your application, you can activate Suhosin's
> ++; simulation mode with this flag. When Suhosin runs in simulation mode,
> ++; violations are logged as usual, but nothing is blocked or removed from the
> ++; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
> ++;suhosin.simulation = Off
> ++
> ++; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
> ++; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
> ++; will overwrite the information Suhosin stores in this slot. When this flag is
> ++; set Suhosin will request 2 Slots and use the second one. This allows working
> ++; correctly with these buggy APC versions.
> ++;suhosin.apc_bug_workaround = Off
> ++
> ++; When a SQL Query fails scripts often spit out a bunch of useful information
> ++; for possible attackers. When this configuration directive is turned on, the
> ++; script will silently terminate, after the problem has been logged. (This is
> ++; not yet supported)
> ++;suhosin.sql.bailout_on_error = Off
> ++
> ++; This is an experimental feature for shared environments. With this
> ++; configuration option it is possible to specify a prefix that is automatically
> ++; prepended to the database username, whenever a database connection is made.
> ++; (Unless the username starts with the prefix)
> ++;suhosin.sql.user_prefix =
> ++
> ++; This is an experimental feature for shared environments. With this
> ++; configuration option it is possible to specify a postfix that is
> ++; automatically appended to the database username, whenever a database
> ++; connection is made. (Unless the username end with the postfix)
> ++;
> ++; With this feature it is possible for shared hosters to disallow customers to
> ++; connect with the usernames of other customers. This feature is experimental,
> ++; because support for PDO and PostgreSQL are not yet implemented.
> ++;suhosin.sql.user_postfix =
> ++
> ++; This directive controls if multiple headers are allowed or not in a header()
> ++; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
> ++; multiple lines are still allowed).
> ++;suhosin.multiheader = Off
> ++
> ++; This directive controls if the mail() header protection is activated or not
> ++; and to what degree it is activated. The appended table lists the possible
> ++; activation levels.
> ++suhosin.mail.protect = 1
> ++
> ++; As long scripts are not running within safe_mode they are free to change the
> ++; memory_limit to whatever value they want. Suhosin changes this fact and
> ++; disallows setting the memory_limit to a value greater than the one the script
> ++; started with, when this option is left at 0. A value greater than 0 means
> ++; that Suhosin will disallows scripts setting the memory_limit to a value above
> ++; this configured hard limit. This is for example usefull if you want to run
> ++; the script normaly with a limit of 16M but image processing scripts may raise
> ++; it to 20M.
> ++;suhosin.memory_limit = 0
> ++
> ++; -----------------------------------------------------------------------------
> ++; Transparent Encryption Options
> ++
> ++; Flag that decides if the transparent session encryption is activated or not.
> ++;suhosin.session.encrypt = On
> ++
> ++; Session data can be encrypted transparently. The encryption key used consists
> ++; of this user defined string (which can be altered by a script via ini_set())
> ++; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
> ++; REMOTE_ADDR.
> ++;suhosin.session.cryptkey =
> ++
> ++; Flag that decides if the transparent session encryption key depends on the
> ++; User-Agent field. (When activated this feature transparently adds a little
> ++; bit protection against session fixation/hijacking attacks)
> ++;suhosin.session.cryptua = On
> ++
> ++; Flag that decides if the transparent session encryption key depends on the
> ++; Documentroot field.
> ++;suhosin.session.cryptdocroot = On
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
> ++; encryption key depends on. Keep in mind that this should not be used on sites
> ++; that have visitors from big ISPs, because their IP address often changes
> ++; during a session. But this feature might be interesting for admin interfaces
> ++; or intranets. When used wisely this is a transparent protection against
> ++; session hijacking/fixation.
> ++;suhosin.session.cryptraddr = 0
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> ++; session. The difference to suhosin.session.cryptaddr is, that the IP is not
> ++; part of the encryption key, so that the same session can be used for
> ++; different areas with different protection levels on the site.
> ++;suhosin.session.checkraddr = 0
> ++
> ++; Flag that decides if the transparent cookie encryption is activated or not.
> ++;suhosin.cookie.encrypt = 0
> ++
> ++; Cookies can be encrypted transparently. The encryption key used consists of
> ++; this user defined string and optionally the User-Agent, the Document-Root and
> ++; 0-4 Octects of the REMOTE_ADDR.
> ++;suhosin.cookie.cryptkey =
> ++
> ++; Flag that decides if the transparent session encryption key depends on the
> ++; User-Agent field. (When activated this feature transparently adds a little
> ++; bit protection against session fixation/hijacking attacks (if only session
> ++; cookies are allowed))
> ++;suhosin.cookie.cryptua = On
> ++
> ++; Flag that decides if the transparent cookie encryption key depends on the
> ++; Documentroot field.
> ++;suhosin.cookie.cryptdocroot = On
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
> ++; encryption key depends on. Keep in mind that this should not be used on sites
> ++; that have visitors from big ISPs, because their IP address often changes
> ++; during a session. But this feature might be interesting for admin interfaces
> ++; or intranets. When used wisely this is a transparent protection against
> ++; session hijacking/fixation.
> ++;suhosin.cookie.cryptraddr = 0
> ++
> ++; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> ++; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
> ++; part of the encryption key, so that the same cookie can be used for different
> ++; areas with different protection levels on the site.
> ++;suhosin.cookie.checkraddr = 0
> ++
> ++; In case not all cookies are supposed to get encrypted this is a comma
> ++; separated list of cookie names that should get encrypted. All other cookies
> ++; will not get touched.
> ++;suhosin.cookie.cryptlist =
> ++
> ++; In case some cookies should not be crypted this is a comma separated list of
> ++; cookies that do not get encrypted. All other cookies will be encrypted.
> ++;suhosin.cookie.plainlist =
> ++
> ++; -----------------------------------------------------------------------------
> ++; Filtering Options
> ++
> ++; Defines the reaction of Suhosin on a filter violation.
> ++;suhosin.filter.action =
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; the COOKIE.
> ++;suhosin.cookie.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; the COOKIE.
> ++;suhosin.cookie.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; the COOKIE. For array variables this is the name in front of the indices.
> ++;suhosin.cookie.max_name_length = 64
> ++
> ++; Defines the maximum length of the total variable name when registered through
> ++; the COOKIE. For array variables this includes all indices.
> ++;suhosin.cookie.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through the
> ++; COOKIE.
> ++;suhosin.cookie.max_value_length = 10000
> ++
> ++; Defines the maximum number of variables that may be registered through the
> ++; COOKIE.
> ++;suhosin.cookie.max_vars = 100
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.cookie.disallow_nul = 1
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; the URL
> ++;suhosin.get.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; the URL
> ++;suhosin.get.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; the URL. For array variables this is the name in front of the indices.
> ++;suhosin.get.max_name_length = 64
> ++
> ++; Defines the maximum length of the total variable name when registered through
> ++; the URL. For array variables this includes all indices.
> ++;suhosin.get.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through the URL.
> ++;suhosin.get.max_value_length = 512
> ++
> ++; Defines the maximum number of variables that may be registered through the
> ++; URL.
> ++;suhosin.get.max_vars = 100
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.get.disallow_nul = 1
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; a POST request.
> ++;suhosin.post.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; a POST request.
> ++;suhosin.post.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; a POST request. For array variables this is the name in front of the indices.
> ++;suhosin.post.max_name_length = 64
> ++
> ++; Defines the maximum length of the total variable name when registered through
> ++; a POST request. For array variables this includes all indices.
> ++;suhosin.post.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through a POST
> ++; request.
> ++;suhosin.post.max_value_length = 1000000
> ++
> ++; Defines the maximum number of variables that may be registered through a POST
> ++; request.
> ++;suhosin.post.max_vars = 1000
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.post.disallow_nul = 1
> ++
> ++; Defines the maximum depth an array variable may have, when registered through
> ++; GET , POST or COOKIE. This setting is also an upper limit for the separate
> ++; GET, POST, COOKIE configuration directives.
> ++;suhosin.request.max_array_depth = 50
> ++
> ++; Defines the maximum length of array indices for variables registered through
> ++; GET, POST or COOKIE. This setting is also an upper limit for the separate
> ++; GET, POST, COOKIE configuration directives.
> ++;suhosin.request.max_array_index_length = 64
> ++
> ++; Defines the maximum length of variable names for variables registered through
> ++; the COOKIE, the URL or through a POST request. This is the complete name
> ++; string, including all indicies. This setting is also an upper limit for the
> ++; separate GET, POST, COOKIE configuration directives.
> ++;suhosin.request.max_totalname_length = 256
> ++
> ++; Defines the maximum length of a variable that is registered through the
> ++; COOKIE, the URL or through a POST request. This setting is also an upper
> ++; limit for the variable origin specific configuration directives.
> ++;suhosin.request.max_value_length = 1000000
> ++
> ++; Defines the maximum number of variables that may be registered through the
> ++; COOKIE, the URL or through a POST request. This setting is also an upper
> ++; limit for the variable origin specific configuration directives.
> ++;suhosin.request.max_vars = 1000
> ++
> ++; Defines the maximum name length (excluding possible array indicies) of
> ++; variables that may be registered through the COOKIE, the URL or through a
> ++; POST request. This setting is also an upper limit for the variable origin
> ++; specific configuration directives.
> ++;suhosin.request.max_varname_length = 64
> ++
> ++; When set to On ASCIIZ chars are not allowed in variables.
> ++;suhosin.request.disallow_nul = 1
> ++
> ++; When set to On the dangerous characters <>"'` are urlencoded when found
> ++; not encoded in the server variables REQUEST_URI and QUERY_STRING. This
> ++; will protect against some XSS vulnerabilities.
> ++;suhosin.server.encode = 1
> ++
> ++; When set to On the dangerous characters <>"'` are replaced with ? in
> ++; the server variables PHP_SELF, PATH_TRANSLATED and PATH_INFO. This will
> ++; protect against some XSS vulnerabilities.
> ++;suhosin.server.strip = 1
> ++
> ++; Defines the maximum number of files that may be uploaded with one request.
> ++;suhosin.upload.max_uploads = 25
> ++
> ++; When set to On it is not possible to upload ELF executables.
> ++;suhosin.upload.disallow_elf = 1
> ++
> ++; When set to On it is not possible to upload binary files.
> ++;suhosin.upload.disallow_binary = 0
> ++
> ++; When set to On binary content is removed from the uploaded files.
> ++;suhosin.upload.remove_binary = 0
> ++
> ++; This defines the full path to a verification script for uploaded files. The
> ++; script gets the temporary filename supplied and has to decide if the upload
> ++; is allowed. A possible application for this is to scan uploaded files for
> ++; viruses. The called script has to write a 1 as first line to standard output
> ++; to allow the upload. Any other value or no output at all will result in the
> ++; file being deleted.
> ++;suhosin.upload.verification_script =
> ++
> ++; Specifies the maximum length of the session identifier that is allowed. When
> ++; a longer session identifier is passed a new session identifier will be
> ++; created. This feature is important to fight bufferoverflows in 3rd party
> ++; session handlers.
> ++;suhosin.session.max_id_length = 128
> ++
> ++; Undocumented: Controls if suhosin coredumps when the optional suhosin patch
> ++; detects a bufferoverflow, memory corruption or double free. This is only
> ++; for debugging purposes and should not be activated.
> ++;suhosin.coredump = Off
> ++
> ++; Undocumented: Controls if the encryption keys specified by the configuration
> ++; are shown in the phpinfo() output or if they are hidden from it
> ++;suhosin.protectkey = 1
> ++
> ++; Controls if suhosin loads in stealth mode when it is not the only
> ++; zend_extension (Required for full compatibility with certain encoders
> ++;  that consider open source untrusted. e.g. ionCube, Zend)
> ++;suhosin.stealth = 1
> ++
> ++; Controls if suhosin's ini directives are changeable per directory
> ++; because the admin might want to allow some features to be controlable
> ++; by .htaccess and some not. For example the logging capabilities can
> ++; break safemode and open_basedir restrictions when .htaccess support is
> ++; allowed and the admin forgot to fix their values in httpd.conf
> ++; An empty value or a 0 will result in all directives not allowed in
> ++; .htaccess. The string "legcprsum" will allow logging, execution, get,
> ++; post, cookie, request, sql, upload, misc features in .htaccess
> ++;suhosin.perdir = "0"
> Index: patches/patch-php_ini-recommended
> ===================================================================
> RCS file: /cvs/ports/www/php5/patches/patch-php_ini-recommended,v
> retrieving revision 1.13
> diff -N -u -r1.13 patches/patch-php_ini-recommended
> --- patches/patch-php_ini-recommended 14 Nov 2007 10:53:50 -0000 1.13
> +++ /dev/null 1 Dec 2009 22:31:01 -0000
> @@ -1,569 +0,0 @@
> -$OpenBSD: patch-php_ini-recommended,v 1.13 2007/11/14 10:53:50 robert Exp $
> ---- php.ini-recommended.orig Wed Aug 22 01:24:18 2007
> -+++ php.ini-recommended Tue Nov 13 11:53:39 2007
> -@@ -516,10 +516,7 @@ default_mimetype = "text/html"
> - ;;;;;;;;;;;;;;;;;;;;;;;;;
> -
> - ; UNIX: "/path1:/path2"
> --;include_path = ".:/php/includes"
> --;
> --; Windows: "\path1;\path2"
> --;include_path = ".;c:\php\includes"
> -+include_path = ".:OPENBSD_INCLUDE_PATH"
> -
> - ; The root of the PHP pages, used only if nonempty.
> - ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
> -@@ -533,7 +530,7 @@ doc_root =
> - user_dir =
> -
> - ; Directory in which the loadable extensions (modules) reside.
> --extension_dir = "./"
> -+extension_dir = "MODULES_DIR"
> -
> - ; Whether or not to enable the dl() function.  The dl() function does NOT work
> - ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
> -@@ -602,7 +599,7 @@ upload_max_filesize = 2M
> - ;;;;;;;;;;;;;;;;;;
> -
> - ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
> --allow_url_fopen = On
> -+allow_url_fopen = Off
> -
> - ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
> - allow_url_include = Off
> -@@ -623,81 +620,6 @@ default_socket_timeout = 60
> - ; fgets() and file() will work regardless of the source of the file.
> - ; auto_detect_line_endings = Off
> -
> --
> --;;;;;;;;;;;;;;;;;;;;;;
> --; Dynamic Extensions ;
> --;;;;;;;;;;;;;;;;;;;;;;
> --;
> --; If you wish to have an extension loaded automatically, use the following
> --; syntax:
> --;
> --;   extension=modulename.extension
> --;
> --; For example, on Windows:
> --;
> --;   extension=msql.dll
> --;
> --; ... or under UNIX:
> --;
> --;   extension=msql.so
> --;
> --; Note that it should be the name of the module only; no directory information
> --; needs to go here.  Specify the location of the extension with the
> --; extension_dir directive above.
> --
> --
> --; Windows Extensions
> --; Note that ODBC support is built in, so no dll is needed for it.
> --; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5)
> --; extension folders as well as the separate PECL DLL download (PHP 5).
> --; Be sure to appropriately set the extension_dir directive.
> --
> --;extension=php_bz2.dll
> --;extension=php_curl.dll
> --;extension=php_dba.dll
> --;extension=php_dbase.dll
> --;extension=php_exif.dll
> --;extension=php_fdf.dll
> --;extension=php_gd2.dll
> --;extension=php_gettext.dll
> --;extension=php_gmp.dll
> --;extension=php_ifx.dll
> --;extension=php_imap.dll
> --;extension=php_interbase.dll
> --;extension=php_ldap.dll
> --;extension=php_mbstring.dll
> --;extension=php_mcrypt.dll
> --;extension=php_mhash.dll
> --;extension=php_mime_magic.dll
> --;extension=php_ming.dll
> --;extension=php_msql.dll
> --;extension=php_mssql.dll
> --;extension=php_mysql.dll
> --;extension=php_mysqli.dll
> --;extension=php_oci8.dll
> --;extension=php_openssl.dll
> --;extension=php_pdo.dll
> --;extension=php_pdo_firebird.dll
> --;extension=php_pdo_mssql.dll
> --;extension=php_pdo_mysql.dll
> --;extension=php_pdo_oci.dll
> --;extension=php_pdo_oci8.dll
> --;extension=php_pdo_odbc.dll
> --;extension=php_pdo_pgsql.dll
> --;extension=php_pdo_sqlite.dll
> --;extension=php_pgsql.dll
> --;extension=php_pspell.dll
> --;extension=php_shmop.dll
> --;extension=php_snmp.dll
> --;extension=php_soap.dll
> --;extension=php_sockets.dll
> --;extension=php_sqlite.dll
> --;extension=php_sybase_ct.dll
> --;extension=php_tidy.dll
> --;extension=php_xmlrpc.dll
> --;extension=php_xsl.dll
> --;extension=php_zip.dll
> --
> - ;;;;;;;;;;;;;;;;;;;
> - ; Module Settings ;
> - ;;;;;;;;;;;;;;;;;;;
> -@@ -745,13 +667,6 @@ default_socket_timeout = 60
> - define_syslog_variables  = Off
> -
> - [mail function]
> --; For Win32 only.
> --SMTP = localhost
> --smtp_port = 25
> --
> --; For Win32 only.
> --;sendmail_from = [hidden email]
> --
> - ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
> - ;sendmail_path =
> -
> -@@ -1330,6 +1245,436 @@ soap.wsdl_cache_dir="/tmp"
> - ; instead of original one.
> - soap.wsdl_cache_ttl=86400
> -
> --; Local Variables:
> --; tab-width: 4
> --; End:
> -+[suhosin]
> -+; Logging Options
> -+
> -+; Defines what classes of security alerts are logged to the syslog daemon.
> -+; Logging of errors of the class S_MEMORY are always logged to syslog, no
> -+; matter what this configuration says, because a corrupted heap could mean that
> -+; the other logging options will malfunction during the logging process.
> -+;suhosin.log.syslog =
> -+
> -+; Defines the syslog facility that is used when ALERTs are logged to syslog.
> -+;suhosin.log.syslog.facility =
> -+
> -+; Defines the syslog priority that is used when ALERTs are logged to syslog.
> -+;suhosin.log.syslog.priority =
> -+
> -+; Defines what classes of security alerts are logged through the SAPI error log.
> -+;suhosin.log.sapi =
> -+
> -+; Defines what classes of security alerts are logged through the external
> -+; logging.
> -+;suhosin.log.script =
> -+
> -+; Defines what classes of security alerts are logged through the defined PHP
> -+; script.
> -+;suhosin.log.phpscript = 0
> -+
> -+; Defines the full path to a external logging script. The script is called with
> -+; 2 parameters. The first one is the alert class in string notation and the
> -+; second parameter is the log message. This can be used for example to mail
> -+; failing MySQL queries to your email address, because on a production system
> -+; these things should never happen.
> -+;suhosin.log.script.name =
> -+
> -+; Defines the full path to a PHP logging script. The script is called with 2
> -+; variables registered in the current scope: SUHOSIN_ERRORCLASS and
> -+; SUHOSIN_ERROR. The first one is the alert class and the second variable is
> -+; the log message. This can be used for example to mail attempted remote URL
> -+; include attacks to your email address.
> -+;suhosin.log.phpscript.name =
> -+
> -+; Undocumented
> -+;suhosin.log.phpscript.is_safe = Off
> -+
> -+; When the Hardening-Patch logs an error the log message also contains the IP
> -+; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
> -+; environment variable. With this switch it is possible to change this behavior
> -+; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
> -+; when your PHP server runs behind a reverse proxy.
> -+;suhosin.log.use-x-forwarded-for = Off
> -+
> -+; -----------------------------------------------------------------------------
> -+; Executor Options
> -+
> -+; Defines the maximum stack depth allowed by the executor before it stops the
> -+; script. Without this function an endless recursion in a PHP script could
> -+; crash the PHP executor or trigger the configured memory_limit. A value of
> -+; "0" disables this feature.
> -+;suhosin.executor.max_depth = 0
> -+
> -+; Defines how many "../" an include filename needs to contain to be considered
> -+; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
> -+; value of "3" will allow it. Most PHP applications should work flawlessly with
> -+; values "4" or "5". A value of "0" disables this feature.
> -+;suhosin.executor.include.max_traversal = 0
> -+
> -+; Comma separated whitelist of URL schemes that are allowed to be included from
> -+; include or require statements. Additionally to URL schemes it is possible to
> -+; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
> -+; specified, then the blacklist is evaluated.
> -+;suhosin.executor.include.whitelist =
> -+
> -+; Comma separated blacklist of URL schemes that are not allowed to be included
> -+; from include or require statements. Additionally to URL schemes it is
> -+; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
> -+; blacklist and no whitelist is specified all URL schemes are forbidden.
> -+;suhosin.executor.include.blacklist =
> -+
> -+; Comma separated whitelist of functions that are allowed to be called. If the
> -+; whitelist is empty the blacklist is evaluated, otherwise calling a function
> -+; not in the whitelist will terminate the script and get logged.
> -+;suhosin.executor.func.whitelist =
> -+
> -+; Comma separated blacklist of functions that are not allowed to be called. If
> -+; no whitelist is given, calling a function within the blacklist will terminate
> -+; the script and get logged.
> -+;suhosin.executor.func.blacklist =
> -+
> -+; Comma separated whitelist of functions that are allowed to be called from
> -+; within eval(). If the whitelist is empty the blacklist is evaluated,
> -+; otherwise calling a function not in the whitelist will terminate the script
> -+; and get logged.
> -+;suhosin.executor.eval.whitelist =
> -+
> -+; Comma separated blacklist of functions that are not allowed to be called from
> -+; within eval(). If no whitelist is given, calling a function within the
> -+; blacklist will terminate the script and get logged.
> -+;suhosin.executor.eval.blacklist =
> -+
> -+; eval() is a very dangerous statement and therefore you might want to disable
> -+; it completely. Deactivating it will however break lots of scripts. Because
> -+; every violation is logged, this allows finding all places where eval() is
> -+; used.
> -+;suhosin.executor.disable_eval = Off
> -+
> -+; The /e modifier inside preg_replace() allows code execution. Often it is the
> -+; cause for remote code execution exploits. It is wise to deactivate this
> -+; feature and test where in the application it is used. The developer using the
> -+; /e modifier should be made aware that he should use preg_replace_callback()
> -+; instead.
> -+;suhosin.executor.disable_emodifier = Off
> -+
> -+; This flag reactivates symlink() when open_basedir is used, which is disabled
> -+; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
> -+; is actually a security risk.
> -+;suhosin.executor.allow_symlink = Off
> -+
> -+; -----------------------------------------------------------------------------
> -+; Misc Options
> -+
> -+; If you fear that Suhosin breaks your application, you can activate Suhosin's
> -+; simulation mode with this flag. When Suhosin runs in simulation mode,
> -+; violations are logged as usual, but nothing is blocked or removed from the
> -+; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
> -+;suhosin.simulation = Off
> -+
> -+; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
> -+; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
> -+; will overwrite the information Suhosin stores in this slot. When this flag is
> -+; set Suhosin will request 2 Slots and use the second one. This allows working
> -+; correctly with these buggy APC versions.
> -+;suhosin.apc_bug_workaround = Off
> -+
> -+; When a SQL Query fails scripts often spit out a bunch of useful information
> -+; for possible attackers. When this configuration directive is turned on, the
> -+; script will silently terminate, after the problem has been logged. (This is
> -+; not yet supported)
> -+;suhosin.sql.bailout_on_error = Off
> -+
> -+; This is an experimental feature for shared environments. With this
> -+; configuration option it is possible to specify a prefix that is automatically
> -+; prepended to the database username, whenever a database connection is made.
> -+; (Unless the username starts with the prefix)
> -+;suhosin.sql.user_prefix =
> -+
> -+; This is an experimental feature for shared environments. With this
> -+; configuration option it is possible to specify a postfix that is
> -+; automatically appended to the database username, whenever a database
> -+; connection is made. (Unless the username end with the postfix)
> -+;
> -+; With this feature it is possible for shared hosters to disallow customers to
> -+; connect with the usernames of other customers. This feature is experimental,
> -+; because support for PDO and PostgreSQL are not yet implemented.
> -+;suhosin.sql.user_postfix =
> -+
> -+; This directive controls if multiple headers are allowed or not in a header()
> -+; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
> -+; multiple lines are still allowed).
> -+;suhosin.multiheader = Off
> -+
> -+; This directive controls if the mail() header protection is activated or not
> -+; and to what degree it is activated. The appended table lists the possible
> -+; activation levels.
> -+suhosin.mail.protect = 1
> -+
> -+; As long scripts are not running within safe_mode they are free to change the
> -+; memory_limit to whatever value they want. Suhosin changes this fact and
> -+; disallows setting the memory_limit to a value greater than the one the script
> -+; started with, when this option is left at 0. A value greater than 0 means
> -+; that Suhosin will disallows scripts setting the memory_limit to a value above
> -+; this configured hard limit. This is for example usefull if you want to run
> -+; the script normaly with a limit of 16M but image processing scripts may raise
> -+; it to 20M.
> -+;suhosin.memory_limit = 0
> -+
> -+; -----------------------------------------------------------------------------
> -+; Transparent Encryption Options
> -+
> -+; Flag that decides if the transparent session encryption is activated or not.
> -+;suhosin.session.encrypt = On
> -+
> -+; Session data can be encrypted transparently. The encryption key used consists
> -+; of this user defined string (which can be altered by a script via ini_set())
> -+; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
> -+; REMOTE_ADDR.
> -+;suhosin.session.cryptkey =
> -+
> -+; Flag that decides if the transparent session encryption key depends on the
> -+; User-Agent field. (When activated this feature transparently adds a little
> -+; bit protection against session fixation/hijacking attacks)
> -+;suhosin.session.cryptua = On
> -+
> -+; Flag that decides if the transparent session encryption key depends on the
> -+; Documentroot field.
> -+;suhosin.session.cryptdocroot = On
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
> -+; encryption key depends on. Keep in mind that this should not be used on sites
> -+; that have visitors from big ISPs, because their IP address often changes
> -+; during a session. But this feature might be interesting for admin interfaces
> -+; or intranets. When used wisely this is a transparent protection against
> -+; session hijacking/fixation.
> -+;suhosin.session.cryptraddr = 0
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> -+; session. The difference to suhosin.session.cryptaddr is, that the IP is not
> -+; part of the encryption key, so that the same session can be used for
> -+; different areas with different protection levels on the site.
> -+;suhosin.session.checkraddr = 0
> -+
> -+; Flag that decides if the transparent cookie encryption is activated or not.
> -+;suhosin.cookie.encrypt = 0
> -+
> -+; Cookies can be encrypted transparently. The encryption key used consists of
> -+; this user defined string and optionally the User-Agent, the Document-Root and
> -+; 0-4 Octects of the REMOTE_ADDR.
> -+;suhosin.cookie.cryptkey =
> -+
> -+; Flag that decides if the transparent session encryption key depends on the
> -+; User-Agent field. (When activated this feature transparently adds a little
> -+; bit protection against session fixation/hijacking attacks (if only session
> -+; cookies are allowed))
> -+;suhosin.cookie.cryptua = On
> -+
> -+; Flag that decides if the transparent cookie encryption key depends on the
> -+; Documentroot field.
> -+;suhosin.cookie.cryptdocroot = On
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
> -+; encryption key depends on. Keep in mind that this should not be used on sites
> -+; that have visitors from big ISPs, because their IP address often changes
> -+; during a session. But this feature might be interesting for admin interfaces
> -+; or intranets. When used wisely this is a transparent protection against
> -+; session hijacking/fixation.
> -+;suhosin.cookie.cryptraddr = 0
> -+
> -+; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
> -+; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
> -+; part of the encryption key, so that the same cookie can be used for different
> -+; areas with different protection levels on the site.
> -+;suhosin.cookie.checkraddr = 0
> -+
> -+; In case not all cookies are supposed to get encrypted this is a comma
> -+; separated list of cookie names that should get encrypted. All other cookies
> -+; will not get touched.
> -+;suhosin.cookie.cryptlist =
> -+
> -+; In case some cookies should not be crypted this is a comma separated list of
> -+; cookies that do not get encrypted. All other cookies will be encrypted.
> -+;suhosin.cookie.plainlist =
> -+
> -+; -----------------------------------------------------------------------------
> -+; Filtering Options
> -+
> -+; Defines the reaction of Suhosin on a filter violation.
> -+;suhosin.filter.action =
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; the COOKIE.
> -+;suhosin.cookie.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; the COOKIE.
> -+;suhosin.cookie.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; the COOKIE. For array variables this is the name in front of the indices.
> -+;suhosin.cookie.max_name_length = 64
> -+
> -+; Defines the maximum length of the total variable name when registered through
> -+; the COOKIE. For array variables this includes all indices.
> -+;suhosin.cookie.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through the
> -+; COOKIE.
> -+;suhosin.cookie.max_value_length = 10000
> -+
> -+; Defines the maximum number of variables that may be registered through the
> -+; COOKIE.
> -+;suhosin.cookie.max_vars = 100
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.cookie.disallow_nul = 1
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; the URL
> -+;suhosin.get.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; the URL
> -+;suhosin.get.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; the URL. For array variables this is the name in front of the indices.
> -+;suhosin.get.max_name_length = 64
> -+
> -+; Defines the maximum length of the total variable name when registered through
> -+; the URL. For array variables this includes all indices.
> -+;suhosin.get.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through the URL.
> -+;suhosin.get.max_value_length = 512
> -+
> -+; Defines the maximum number of variables that may be registered through the
> -+; URL.
> -+;suhosin.get.max_vars = 100
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.get.disallow_nul = 1
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; a POST request.
> -+;suhosin.post.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; a POST request.
> -+;suhosin.post.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; a POST request. For array variables this is the name in front of the indices.
> -+;suhosin.post.max_name_length = 64
> -+
> -+; Defines the maximum length of the total variable name when registered through
> -+; a POST request. For array variables this includes all indices.
> -+;suhosin.post.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through a POST
> -+; request.
> -+;suhosin.post.max_value_length = 65000
> -+
> -+; Defines the maximum number of variables that may be registered through a POST
> -+; request.
> -+;suhosin.post.max_vars = 200
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.post.disallow_nul = 1
> -+
> -+; Defines the maximum depth an array variable may have, when registered through
> -+; GET , POST or COOKIE. This setting is also an upper limit for the separate
> -+; GET, POST, COOKIE configuration directives.
> -+;suhosin.request.max_array_depth = 50
> -+
> -+; Defines the maximum length of array indices for variables registered through
> -+; GET, POST or COOKIE. This setting is also an upper limit for the separate
> -+; GET, POST, COOKIE configuration directives.
> -+;suhosin.request.max_array_index_length = 64
> -+
> -+; Defines the maximum length of variable names for variables registered through
> -+; the COOKIE, the URL or through a POST request. This is the complete name
> -+; string, including all indicies. This setting is also an upper limit for the
> -+; separate GET, POST, COOKIE configuration directives.
> -+;suhosin.request.max_totalname_length = 256
> -+
> -+; Defines the maximum length of a variable that is registered through the
> -+; COOKIE, the URL or through a POST request. This setting is also an upper
> -+; limit for the variable origin specific configuration directives.
> -+;suhosin.request.max_value_length = 65000
> -+
> -+; Defines the maximum number of variables that may be registered through the
> -+; COOKIE, the URL or through a POST request. This setting is also an upper
> -+; limit for the variable origin specific configuration directives.
> -+;suhosin.request.max_vars = 200
> -+
> -+; Defines the maximum name length (excluding possible array indicies) of
> -+; variables that may be registered through the COOKIE, the URL or through a
> -+; POST request. This setting is also an upper limit for the variable origin
> -+; specific configuration directives.
> -+;suhosin.request.max_varname_length = 64
> -+
> -+; When set to On ASCIIZ chars are not allowed in variables.
> -+;suhosin.request.disallow_nul = 1
> -+
> -+; Defines the maximum number of files that may be uploaded with one request.
> -+;suhosin.upload.max_uploads = 25
> -+
> -+; When set to On it is not possible to upload ELF executables.
> -+;suhosin.upload.disallow_elf = 1
> -+
> -+; When set to On it is not possible to upload binary files.
> -+;suhosin.upload.disallow_binary = 0
> -+
> -+; When set to On binary content is removed from the uploaded files.
> -+;suhosin.upload.remove_binary = 0
> -+
> -+; This defines the full path to a verification script for uploaded files. The
> -+; script gets the temporary filename supplied and has to decide if the upload
> -+; is allowed. A possible application for this is to scan uploaded files for
> -+; viruses. The called script has to write a 1 as first line to standard output
> -+; to allow the upload. Any other value or no output at all will result in the
> -+; file being deleted.
> -+;suhosin.upload.verification_script =
> -+
> -+; Specifies the maximum length of the session identifier that is allowed. When
> -+; a longer session identifier is passed a new session identifier will be
> -+; created. This feature is important to fight bufferoverflows in 3rd party
> -+; session handlers.
> -+;suhosin.session.max_id_length = 128
> -+
> -+; Undocumented: Controls if suhosin coredumps when the optional suhosin patch
> -+; detects a bufferoverflow, memory corruption or double free. This is only
> -+; for debugging purposes and should not be activated.
> -+;suhosin.coredump = Off
> -+
> -+; Undocumented: Controls if the encryption keys specified by the configuration
> -+; are shown in the phpinfo() output or if they are hidden from it
> -+;suhosin.protectkey = 1
> -+
> -+; Controls if suhosin loads in stealth mode when it is not the only
> -+; zend_extension (Required for full compatibility with certain encoders
> -+;  that consider open source untrusted. e.g. ionCube, Zend)
> -+;suhosin.stealth = 1
> -+
> -+; Controls if suhosin's ini directives are changeable per directory
> -+; because the admin might want to allow some features to be controlable
> -+; by .htaccess and some not. For example the logging capabilities can
> -+; break safemode and open_basedir restrictions when .htaccess support is
> -+; allowed and the admin forgot to fix their values in httpd.conf
> -+; An empty value or a 0 will result in all directives not allowed in
> -+; .htaccess. The string "legcprsum" will allow logging, execution, get,
> -+; post, cookie, request, sql, upload, misc features in .htaccess
> -+;suhosin.perdir = "0"
> -+
> -+;;;;;;;;;;;;;;;;;;;;;;
> -+; Dynamic Extensions ;
> -+;;;;;;;;;;;;;;;;;;;;;;
> -+;
> -+; If you wish to have an extension loaded automatically, use the following
> -+; syntax:
> -+;
> -+;   extension=modulename.so
> -+;
> -+; Note that it should be the name of the module only; no directory information
> -+; needs to go here.  Specify the location of the extension with the
> -+; extension_dir directive above.

Reply | Threaded
Open this post in threaded view
|

Re: [UPDATE] www/php5

???????? ??????
02.12.2009 21:05, Robert Nagy wrote:

> Hi
>
> This is a no go.
>
> Please provide a separate port for php 5.3.
>
> On (2009-12-02 01:48), Max Varencov wrote:
>> Hi,
>>
>> Here is a diff for PHP 5.3.1 with suhosin patch.
>>
>> Removed extensions:
>>   - ncurses
>>   - mhash
>>   - pspell
>>   - dbase
>>
>> New extensions:
>>   - phar
>>   - fileinfo
>>   - enchant
>>   - sqlite3
>>
>> Extensions mysql, mysqli and pdo_mysql now use mysqlnd.
>>
>> PHP release announcement: http://php.net/releases/5_3_0.php
>> PHP release changelog: http://www.php.net/ChangeLog-5.php#5.3.1
>>
>> Tested on current OpenBSD amd64 and i386.
>>
>> Ok? Any comments?
>
What happen?
$ cd /tmp
$ cvs checkout -rHEAD ports/www/php5
$ cd ports/www/php5
$ cp /home/Mete0/php5.patch .
$ patch -p0 < php5.patch
Works fine.

Okay, port attached.

php5.tar.gz (42K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [UPDATE] www/php5

Robert Nagy
I believe that your diff applies cleanly, but the thing
is that i do not want to update php to 5.3.

We can split the php5 port to have both 5.2 and 5.3.

That is why i asked for a separate port.

On (2009-12-02 21:45), Max Varencov wrote:

>
> What happen?
> $ cd /tmp
> $ cvs checkout -rHEAD ports/www/php5
> $ cd ports/www/php5
> $ cp /home/Mete0/php5.patch .
> $ patch -p0 < php5.patch
> Works fine.
>
> Okay, port attached.


Reply | Threaded
Open this post in threaded view
|

Re: [UPDATE] www/php5

???????? ??????
Robert Nagy wrote:

> I believe that your diff applies cleanly, but the thing
> is that i do not want to update php to 5.3.
>
> We can split the php5 port to have both 5.2 and 5.3.
>
> That is why i asked for a separate port.
>
> On (2009-12-02 21:45), Max Varencov wrote:
>> What happen?
>> $ cd /tmp
>> $ cvs checkout -rHEAD ports/www/php5
>> $ cd ports/www/php5
>> $ cp /home/Mete0/php5.patch .
>> $ patch -p0 < php5.patch
>> Works fine.
>>
>> Okay, port attached.
>
>

Okay, understand you. But i can not understand how i can do separate
port? I can send you *clear* php 5.3 port and you commit it, okay?

Reply | Threaded
Open this post in threaded view
|

Re: [UPDATE] www/php5

Robert Nagy
Okay just send it to me.

On (2009-12-02 23:43), ???????? ?????? wrote:

> Robert Nagy wrote:
> >I believe that your diff applies cleanly, but the thing
> >is that i do not want to update php to 5.3.
> >
> >We can split the php5 port to have both 5.2 and 5.3.
> >
> >That is why i asked for a separate port.
> >
> >On (2009-12-02 21:45), Max Varencov wrote:
> >>What happen?
> >>$ cd /tmp
> >>$ cvs checkout -rHEAD ports/www/php5
> >>$ cd ports/www/php5
> >>$ cp /home/Mete0/php5.patch .
> >>$ patch -p0 < php5.patch
> >>Works fine.
> >>
> >>Okay, port attached.
> >
> >
>
> Okay, understand you. But i can not understand how i can do separate
> port? I can send you *clear* php 5.3 port and you commit it, okay?

Reply | Threaded
Open this post in threaded view
|

Re: [UPDATE] www/php5

???????? ??????
Robert Nagy ?????:

> Okay just send it to me.
>
> On (2009-12-02 23:43), ???????? ?????? wrote:
>> Robert Nagy wrote:
>>> I believe that your diff applies cleanly, but the thing
>>> is that i do not want to update php to 5.3.
>>>
>>> We can split the php5 port to have both 5.2 and 5.3.
>>>
>>> That is why i asked for a separate port.
>>>
>>> On (2009-12-02 21:45), Max Varencov wrote:
>>>> What happen?
>>>> $ cd /tmp
>>>> $ cvs checkout -rHEAD ports/www/php5
>>>> $ cd ports/www/php5
>>>> $ cp /home/Mete0/php5.patch .
>>>> $ patch -p0 < php5.patch
>>>> Works fine.
>>>>
>>>> Okay, port attached.
>>>
>> Okay, understand you. But i can not understand how i can do separate
>> port? I can send you *clear* php 5.3 port and you commit it, okay?
>
Attached. I hope this is it.

php53.tar.gz (38K) Download Attachment