Permalink
Browse files

* First working release.

  • Loading branch information...
0 parents commit c45fe45fb18b9a6b88292f5c011d3d966d52c07d @perusio committed Mar 23, 2011
Showing with 123 additions and 0 deletions.
  1. +1 −0 .gitignore
  2. +56 −0 php_cleanup
  3. +66 −0 php_cleanup.awk
1 .gitignore
@@ -0,0 +1 @@
+*.ini*
56 php_cleanup
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+### This is a simple script that wraps the AWK script and handles all
+### the file munging.
+
+SCRIPTNAME=${0##*/}
+
+## Prints a usage help message.
+function print_usage() {
+ echo "usage: $SCRIPTNAME -p|-d [php.ini]"
+ exit 1
+}
+
+
+## Check the number of arguments.
+if [ $# -lt 1 ] || [ $# -gt 2 ]; then
+ print_usage
+fi
+
+
+## Getting the input filename. By default assumes that is called
+## php.ini and is on the current directory.
+if [ ! -r php.ini ]; then
+ echo "php.ini file is missing. Specify it as the last argument."
+ echo "E.g.: $SCRIPTNAME /etc/php5/cli/php.ini"
+ exit 1
+else
+ [ $# -eq 2 ] && INPUT_FILE=$2
+ [ $# -eq 1 ] && INPUT_FILE=php.ini
+fi
+
+## The AWK script that does the cleanup.
+AWK_SCRIPT=$(dirname $0)/php_cleanup.awk
+[ -r $AWK_SCRIPT ] || exit 0
+
+## Create the temporary file for output.
+TEMP_FILE=$(mktemp)
+
+## Run the clean up of the php.ini file for a production environment.
+while getopts pd OPT; do
+ case $OPT in
+ p|+p) # In a production environment.
+ $AWK_SCRIPT -v is_prod=1 $INPUT_FILE | uniq > $TEMP_FILE
+ ;;
+ d|+d) # In a development environment.
+ $AWK_SCRIPT $INPUT_FILE | uniq > $TEMP_FILE
+ ;;
+ *) # Otherwise print a usage message.
+ print_usage
+ esac
+done
+shift $(( OPTIND - 1 ))
+OPTIND=1
+
+## Move the temporary file to the original one.
+mv $TEMP_FILE $INPUT_FILE
66 php_cleanup.awk
@@ -0,0 +1,66 @@
+#!/usr/bin/awk -f
+# php_cleanup.awk --- This file contains a script that tunes a given
+# PHP configuration for security.
+
+# Copyright (C) 2011 António P. P. Almeida <appa@perusio.net>
+
+# Author: António P. P. Almeida <appa@perusio.net>
+
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# Except as contained in this notice, the name(s) of the above copyright
+# holders shall not be used in advertising or otherwise to promote the sale,
+# use or other dealings in this Software without prior written authorization.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+
+## Skip the first error log setting to avoid duplicates.
+/error_log.*\.log$/ {next}
+
+## Ditto for display_errors.
+/;display_errors.*err/ {print; next}
+
+## Don't reveal you're running PHP too easily.
+/^;*expose_php/ {print "expose_php = Off"; next}
+
+## Display errors only on development environments.
+/^[; ]*display_errors/ {if (is_prod) print "display_errors = Off"; else print "display_errors = On"; next}
+
+## On a production environment use syslog for logging.
+/^;error_log[ ]*=.*log/ {if (is_prod) print "error_log = syslog"}
+
+## Use zlib compression for the PHP scripts.
+/^;*zlib.output_compression_level/ {print "zlib.output_compression_level = 1"; next}
+/^;*zlib.output_compression/ {print "zlib.output_compression = On"; next}
+
+## Resources for POST and memory.
+/memory_limit/ {print "memory_limit = 512M"; next}
+/post_max_size/ {print "post_max_size = 1024M"; next}
+/upload_max_filesize/ {print "upload_max_filesize = 512M"; next}
+
+## CGI fix PATHINFO.
+/;[ ]+cgi.fix_pathinfo[ ]*=/ {print "cgi.fix_pathinfo = 0"; next}
+
+## Fopen wrappers.
+/allow_url_fopen/ {print "allow_url_fopen = Off"; next}
+/allow_url_include/ {print "allow_url_include = Off"; next}
+
+## No cookie handling with JS on the client.
+/session.cookie_httponly/ {print "session.cookie_httponly = 1"; next}
+
+{print}
+

0 comments on commit c45fe45

Please sign in to comment.