More security-related (control) patches:

- Avoid displaying errors during startup, unless display_startup_errors is enabled.
- Implemented post_size_max limit.  Defaults to 8MB.
- Implemented file_uploads on/off directive (defaults to on).

1 files changed, 14 insertions, 3 deletions

diff --git a/php.ini-recommended b/php.ini-recommended
index 901f300dd6..7143b89e27 100644
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -122,7 +122,7 @@ expose_php	=	On		; Decides whether PHP may expose the fact that it is installed
 ;;;;;;;;;;;;;;;;;;;
 
 max_execution_time = 30     ; Maximum execution time of each script, in seconds
-memory_limit = 8388608		; Maximum amount of memory a script may consume (8MB)
+memory_limit = 8M			; Maximum amount of memory a script may consume (8MB)
 
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -154,6 +154,10 @@ display_errors	=	On	; Print out errors (as a part of the output)
 						; Keeping display_errors enabled on a production web site may reveal
 						; security information to end users, such as file paths on your Web server,
 						; your database schema or other information.
+display_startup_errors = Off		; Even when display_errors is on, errors that occur during
+									; PHP's startup sequence are not displayed.  It's strongly
+									; recommended to keep display_startup_errors off, except for
+									; when debugging.
 log_errors		=	Off	; Log errors into a log file (server-specific log, stderr, or error_log (below))
 						; As stated above, you're strongly advised to use error logging in place of
 						; error displaying on production web sites.
@@ -184,6 +188,7 @@ register_argc_argv	=	Off		; This directive tells PHP whether to declare the argv
 								; don't use these variables, you should turn it off for
 								; increased performance (you should try not to use it anyway,
 								; for less likelihood of security bugs in your code).
+post_max_size		=	8M		; Maximum size of POST data that PHP will accept.
 gpc_order			=	"GPC"	; This directive is deprecated.  Use variables_order instead.
 
 ; Magic quotes
@@ -208,8 +213,6 @@ default_mimetype = "text/html"
 include_path	=                   ; UNIX: "/path1:/path2"  Windows: "\path1;\path2"
 doc_root		=					; the root of the php pages, used only if nonempty
 user_dir		=					; the directory under which php opens the script using /~username, used only if nonempty
-;upload_tmp_dir	=	                ; temporary directory for HTTP uploaded files (will use system default if not specified)
-upload_max_filesize = 2097152       ; 2 Meg default limit on file uploads
 extension_dir	=	./				; directory in which the loadable extensions (modules) reside
 enable_dl		= On				; Whether or not to enable the dl() function.
 									; The dl() function does NOT properly work in multithreaded
@@ -217,6 +220,14 @@ enable_dl		= On				; Whether or not to enable the dl() function.
 									; on them.
 
 
+;;;;;;;;;;;;;;;;
+; File Uploads ;
+;;;;;;;;;;;;;;;;
+file_uploads	= On				; Whether to allow HTTP file uploads
+;upload_tmp_dir	=	                ; temporary directory for HTTP uploaded files (will use system default if not specified)
+upload_max_filesize = 2M		    ; Maximum allowed size for uploaded files
+
+
 ;;;;;;;;;;;;;;;;;;;;;;
 ; Dynamic Extensions ;
 ;;;;;;;;;;;;;;;;;;;;;;