From f5482baa0c1ae8a3063bbaf342ea7634f759d4de Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 25 Nov 2016 06:52:11 +0100 Subject: [PATCH] - disable pcre.jit everywhere as it raise AVC #1398474 - sync provided configuration with upstream production defaults --- 10-opcache.ini | 10 ++++ php.ini | 152 ++++++++++++++++++++++++++++++++----------------- php.spec | 6 +- 3 files changed, 115 insertions(+), 53 deletions(-) diff --git a/10-opcache.ini b/10-opcache.ini index cbd5960..845fd85 100644 --- a/10-opcache.ini +++ b/10-opcache.ini @@ -106,6 +106,16 @@ opcache.blacklist_filename=/etc/php.d/opcache*.blacklist ; Enables or disables checksum validation when script loaded from file cache. ;opcache.file_cache_consistency_checks=1 +; Implies opcache.file_cache_only=1 for a certain process that failed to +; reattach to the shared memory (for Windows only). Explicitly enabled file +; cache is required. +;opcache.file_cache_fallback=1 + +; Validate cached file permissions. +;opcache.validate_permission=0 + +; Prevent name collisions in chroot'ed environment. +;opcache.validate_root=0 ; Enables or disables copying of PHP code (text segment) into HUGE PAGES. ; This should improve performance, but requires appropriate OS configuration. diff --git a/php.ini b/php.ini index 569e807..fc457f2 100644 --- a/php.ini +++ b/php.ini @@ -143,7 +143,7 @@ ; Development Value: 1000 ; Production Value: 1000 -; session.hash_bits_per_character +; session.sid_bits_per_character ; Default Value: 4 ; Development Value: 5 ; Production Value: 5 @@ -158,11 +158,6 @@ ; Development Value: On ; Production Value: Off -; url_rewriter.tags -; Default Value: "a=href,area=href,frame=src,form=,fieldset=" -; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" -; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" - ; variables_order ; Default Value: "EGPCS" ; Development Value: "GPCS" @@ -244,6 +239,23 @@ output_buffering = 4096 ; http://php.net/output-handler ;output_handler = +; URL rewriter function rewrites URL on the fly by using +; output buffer. You can set target tags by this configuration. +; "form" tag is special tag. It will add hidden input tag to pass values. +; Refer to session.trans_sid_tags for usage. +; Default Value: "form=" +; Development Value: "form=" +; Production Value: "form=" +;url_rewriter.tags + +; URL rewriter will not rewrites absolute URL nor form by default. To enable +; absolute URL rewrite, allowed hosts must be defined at RUNTIME. +; Refer to session.trans_sid_hosts for more details. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;url_rewriter.hosts + ; Transparent output compression using the zlib library ; Valid values for this option are 'off', 'on', or a specific buffer size ; to be used for compression (default is 4KB) @@ -285,7 +297,10 @@ unserialize_callback_func = ; When floats & doubles are serialized store serialize_precision significant ; digits after the floating point. The default value ensures that when floats ; are decoded with unserialize, the data will remain the same. -serialize_precision = 17 +; The value is also used for json_encode when encoding double values. +; If -1 is used, then dtoa mode 0 is used which automatically select the best +; precision. +serialize_precision = -1 ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory @@ -663,11 +678,10 @@ auto_prepend_file = ; http://php.net/auto-append-file auto_append_file = -; By default, PHP will output a character encoding using -; the Content-type: header. To disable sending of the charset, simply -; set it to be empty. +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. ; -; PHP's built-in default is text/html +; PHP's built-in default media type is set to text/html. ; http://php.net/default-mimetype default_mimetype = "text/html" @@ -687,7 +701,6 @@ default_charset = "UTF-8" ; PHP output character encoding is set to empty. ; If empty, default_charset is used. -; mbstring or iconv output handler is used. ; See also output_buffer. ; http://php.net/output-encoding ;output_encoding = @@ -761,6 +774,11 @@ enable_dl = Off ; http://php.net/cgi.fix-pathinfo ;cgi.fix_pathinfo=1 +; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside +; of the web tree and people will not be able to circumvent .htaccess security. +; http://php.net/cgi.dicard-path +;cgi.discard_path=1 + ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate ; security tokens of the calling client. This allows IIS to define the ; security context that the request runs under. mod_fastcgi under Apache @@ -781,6 +799,13 @@ enable_dl = Off ; http://php.net/cgi.rfc2616-headers ;cgi.rfc2616_headers = 0 +; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! +; (shebang) at the top of the running script. This line might be needed if the +; script support running both as stand-alone script and via PHP CGI<. PHP in CGI +; mode skips this line and ignores its content if this directive is turned on. +; http://php.net/cgi.check-shebang-line +;cgi.check_shebang_line=1 + ;;;;;;;;;;;;;;;; ; File Uploads ; ;;;;;;;;;;;;;;;; @@ -919,10 +944,7 @@ cli_server.color = On ; happens within intl functions. The value is the level of the error produced. ; Default is 0, which does not produce any errors. ;intl.error_level = E_WARNING - -[sqlite] -; http://php.net/sqlite.assoc-case -;sqlite.assoc_case = 0 +;intl.use_exceptions = 0 [sqlite3] ;sqlite3.extension_dir = @@ -941,7 +963,7 @@ cli_server.color = On ;Enables or disables JIT compilation of patterns. This requires the PCRE ;library to be compiled with JIT support. -;pcre.jit=1 +pcre.jit=0 [Pdo] ; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" @@ -1130,6 +1152,19 @@ mysqlnd.collect_statistics = On ; http://php.net/mysqlnd.collect_memory_statistics mysqlnd.collect_memory_statistics = Off +; Records communication from all extensions using mysqlnd to the specified log +; file. +; http://php.net/mysqlnd.debug +;mysqlnd.debug = + +; Defines which queries will be logged. +; http://php.net/mysqlnd.log_mask +;mysqlnd.log_mask = 0 + +; Default size of the mysqlnd memory pool, which is used by result sets. +; http://php.net/mysqlnd.mempool_default_size +;mysqlnd.mempool_default_size = 16000 + ; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. ; http://php.net/mysqlnd.net_cmd_buffer_size ;mysqlnd.net_cmd_buffer_size = 2048 @@ -1139,6 +1174,15 @@ mysqlnd.collect_memory_statistics = Off ; http://php.net/mysqlnd.net_read_buffer_size ;mysqlnd.net_read_buffer_size = 32768 +; Timeout for network requests in seconds. +; http://php.net/mysqlnd.net_read_timeout +;mysqlnd.net_read_timeout = 31536000 + +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA +; key. +; http://php.net/mysqlnd.sha256_server_public_key +;mysqlnd.sha256_server_public_key = + [PostgreSQL] ; Allow or prevent persistent links. ; http://php.net/pgsql.allow-persistent @@ -1309,19 +1353,6 @@ session.gc_maxlifetime = 1440 ; http://php.net/session.referer-check session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; Defaults to /dev/urandom -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom -; If neither are found at compile time, the default is no entropy file. -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom - ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. ; http://php.net/session.cache-limiter @@ -1343,15 +1374,39 @@ session.cache_expire = 180 ; http://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Select a hash function for use in generating session ids. -; Possible Values -; 0 (MD5 128 bits) -; 1 (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid_length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +;
is special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. tag's action attribute URL will not be modified +; unless it is specified. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=" +; Development Value: "a=href,area=href,frame=src,form=" +; Production Value: "a=href,area=href,frame=src,form=" +; http://php.net/url-rewriter.tags +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +; URL rewriter does not rewrite absolute URLs by default. +; To enable rewrites for absolute pathes, target hosts must be specified +; at RUNTIME. i.e. use ini_set() +; tags is special. PHP will check action attribute's URL regardless +; of session.trans_sid_tags setting. +; If no host is defined, HTTP_HOST will be used for allowed host. +; Example value: php.net,www.php.net,wiki.php.net +; Use "," for multiple hosts. No spaces are allowed. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;session.trans_sid_hosts="" ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. @@ -1363,18 +1418,7 @@ session.hash_function = 0 ; Development Value: 5 ; Production Value: 5 ; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 - -; The URL rewriter will look for URLs in a defined set of HTML tags. -; form/fieldset are special; if you include them here, the rewriter will -; add a hidden field with the info which is otherwise appended -; to URLs. If you want XHTML conformity, remove the form entry. -; Note that all valid entries require a "=", even if no value follows. -; Default Value: "a=href,area=href,frame=src,form=,fieldset=" -; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" -; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" -; http://php.net/url-rewriter.tags -url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" +session.sid_bits_per_character = 5 ; Enable upload progress tracking in $_SESSION ; Default Value: On @@ -1421,6 +1465,10 @@ url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" ; http://php.net/session.upload-progress.min-freq ;session.upload_progress.min_freq = "1" +; Only write session data when session data is changed. Enabled by default. +; http://php.net/session.lazy-write +;session.lazy_write = On + [Assertion] ; Switch whether to compile assertions at all (to have no overhead at run-time) ; -1: Do not compile at all @@ -1532,7 +1580,7 @@ zend.assertions = -1 ; a gd image. The warning will then be displayed as notices ; disabled by default ; http://php.net/gd.jpeg-ignore-warning -;gd.jpeg_ignore_warning = 0 +;gd.jpeg_ignore_warning = 1 [exif] ; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. diff --git a/php.spec b/php.spec index 97db5a7..517fde8 100644 --- a/php.spec +++ b/php.spec @@ -62,7 +62,7 @@ %endif %global rcver RC6 -%global rpmrel 2 +%global rpmrel 3 Summary: PHP scripting language for creating dynamic web sites Name: php @@ -1510,6 +1510,10 @@ rm -f README.{Zeus,QNX,CVS-RULES} %changelog +* Fri Nov 24 2016 Remi Collet 7.1.0-0.3.RC6 +- disable pcre.jit everywhere as it raise AVC #1398474 +- sync provided configuration with upstream production defaults + * Mon Nov 14 2016 Remi Collet 7.1.0-0.2.RC6 - re-enable interbase sub package see http://bugzilla.redhat.com/1394750 sub package inconsistency