Skip to content
Browse files

* Added entropy for session token setup.

  • Loading branch information...
1 parent 938786d commit c2afabb1e455f64232888a2b47e42f118ca5c23d @perusio committed Jan 15, 2012
Showing with 32 additions and 29 deletions.
  1. +4 −6 README.md
  2. +9 −11 php_cleanup
  3. +19 −12 php_cleanup.awk
View
10 README.md
@@ -68,6 +68,9 @@ disclosure** vulnerability. It reveals a lot of, potentially:
cookies. All modern browsers support the `HttpOnly` flag. IE6, 7
and 8 also support it.
+ 9. Setup additional entropy for session token generation using the
+ hardware random number generator `/dev/urandom`. This requires
+ PHP 5.3 or later.
## Installation and Usage
@@ -109,9 +112,4 @@ To use this script(s) do the following:
## TODO
Hook this into [drush](https://github.com/perusio/drush-extras "My drush
- extras").
-
-
-
-
-
+ extras").
View
20 php_cleanup
@@ -8,25 +8,22 @@ SCRIPTNAME=${0##*/}
## Prints a usage help message.
function print_usage() {
echo "usage: $SCRIPTNAME -p|-d [php.ini]"
- exit 1
}
-
## Check the number of arguments.
if [ $# -lt 1 ] || [ $# -gt 2 ]; then
print_usage
+ exit 1
fi
-
## Getting the input filename. By default assumes that is called
## php.ini and is on the current directory.
-if [ ! -r php.ini ]; then
- echo "php.ini file is missing. Specify it as the last argument."
- echo "E.g.: $SCRIPTNAME /etc/php5/cli/php.ini"
- exit 1
+## Getting the input filename. By default assumes that is called
+## php.ini and is on the current directory.
+if [ $# -eq 2 ]; then
+ INPUT_FILE=$2
else
- [ $# -eq 2 ] && INPUT_FILE=$2
- [ $# -eq 1 ] && INPUT_FILE=php.ini
+ INPUT_FILE=php.ini
fi
## The AWK script that does the cleanup.
@@ -40,13 +37,14 @@ TEMP_FILE=$(mktemp)
while getopts pd OPT; do
case $OPT in
p|+p) # In a production environment.
- $AWK_SCRIPT -v is_prod=1 $INPUT_FILE | uniq > $TEMP_FILE
+ $AWK_SCRIPT -v is_prod=1 $INPUT_FILE | uniq > $TEMP_FILE
;;
d|+d) # In a development environment.
- $AWK_SCRIPT $INPUT_FILE | uniq > $TEMP_FILE
+ $AWK_SCRIPT $INPUT_FILE | uniq > $TEMP_FILE
;;
*) # Otherwise print a usage message.
print_usage
+ exit 3
esac
done
shift $(( OPTIND - 1 ))
View
31 php_cleanup.awk
@@ -1,4 +1,4 @@
-#!/usr/bin/awk -f
+#!/usr/bin/awk -f
# php_cleanup.awk --- This file contains a script that tunes a given
# PHP configuration for security.
@@ -29,38 +29,45 @@
# DEALINGS IN THE SOFTWARE.
## Skip the first error log setting to avoid duplicates.
-/error_log.*\.log$/ {next}
+/^error_log.*\.log$/ {next}
## Ditto for display_errors.
-/;display_errors.*err/ {print; next}
+/^;display_errors.*err/ {print; next}
## Don't reveal you're running PHP too easily.
/^;*expose_php/ {print "expose_php = Off"; next}
## Display errors only on development environments.
-/^[; ]*display_errors/ {if (is_prod) print "display_errors = Off"; else print "display_errors = On"; next}
+/^[; ]*display_errors/ {if (is_prod) print "display_errors = Off"; else print "display_errors = On"; next}
## On a production environment use syslog for logging.
-/^;error_log[ ]*=.*log/ {if (is_prod) print "error_log = syslog"}
+/^;error_log[ ]*=.*log/ {if (is_prod) print "error_log = syslog"}
## Use zlib compression for the PHP scripts.
/^;*zlib.output_compression_level/ {print "zlib.output_compression_level = 1"; next}
/^;*zlib.output_compression/ {print "zlib.output_compression = On"; next}
## Resources for POST and memory.
-/memory_limit/ {print "memory_limit = 512M"; next}
-/post_max_size/ {print "post_max_size = 1024M"; next}
-/upload_max_filesize/ {print "upload_max_filesize = 512M"; next}
+/^memory_limit/ {print "memory_limit = 512M"; next}
+/^post_max_size/ {print "post_max_size = 1024M"; next}
+/^upload_max_filesize/ {print "upload_max_filesize = 512M"; next}
## CGI fix PATHINFO.
-/;[ ]+cgi.fix_pathinfo[ ]*=/ {print "cgi.fix_pathinfo = 0"; next}
+/^;[ ]+cgi.fix_pathinfo[ ]*=/ {print "cgi.fix_pathinfo = 0"; next}
## Fopen wrappers.
-/allow_url_fopen/ {print "allow_url_fopen = Off"; next}
-/allow_url_include/ {print "allow_url_include = Off"; next}
+/^allow_url_fopen/ {print "allow_url_fopen = Off"; next}
+/^allow_url_include/ {print "allow_url_include = Off"; next}
## No cookie handling with JS on the client.
/session.cookie_httponly/ {print "session.cookie_httponly = 1"; next}
-{print}
+## Add entropy to the session token generation mechanism using the
+## hardware random number generator. Only available on PHP 5.3 and later.
+/^session.entropy_length[ ]+=[ ]+0/ {
+ printf("; This requires PHP 5.3 or later.\nsession.entropy_length = 32\n")
+ next
+}
+/^;session.entropy_file[ ]+=.*/ {print "session.entropy_file = /dev/urandom"; next}
+{print}

0 comments on commit c2afabb

Please sign in to comment.
Something went wrong with that request. Please try again.