Security and performances issues

Question

Security and performances issues

Opened this issue a year ago · 0 comments

Thanks for providing Docker images for Dolibarr!

For instance, the 17.0.0-php8.1 one seems to have security and performances issues (I must admit that I'm far to be an expert with PHP and Docker so maybe these issues are irrelevant for a Docker image; but anyway, I wanted to let you know):

Security (`.../admin/system/security.php`)

PHP session.use_strict_mode = No (Recommended: 1)
PHP allow_url_fopen = 1 (Recommended: No)
PHP disable_functions =
You should disable PHP functions: pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wifcontinued, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_get_handler, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority, pcntl_async_signals
Except if you need to run system commands in custom code, you shoud disable PHP functions: passthru, shell_exec, system, proc_open, popen
Permissions on files in web root directory: Some files or directories are not in a read-only mode
Example: install/doctemplates/adherent/1, install/doctemplates/adherent/2, install/doctemplates/adherent/3, install/doctemplates/adherent/4, core/filemanagerdol/browser/default/images/icons/32, includes/webklex/php-imap/vendor/illuminate/contracts/Auth/Access, includes/swiftmailer/lib/classes/Swift/AddressEncoder, includes/stripe/stripe-php/lib/ApiOperations, includes/webklex/php-imap/vendor/illuminate/contracts/Auth, includes/swiftmailer/lib/classes/Swift/Transport/Esmtp/Auth, includes/sabre/sabre/dav/lib/DAV/Auth, includes/sabre/sabre/http/lib/Auth, includes/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Worksheet/AutoFilter, includes/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Shared/Escher/DggContainer/BstoreContainer/BSE, includes/sabre/sabre/dav/lib/DAV/Locks/Backend, includes/sabre/sabre/dav/lib/DAV/PropertyStorage/Backend, includes/sabre/sabre/dav/lib/DAV/Auth/Backend, includes/sabre/sabre/dav/lib/CardDAV/Backend, includes/sabre/sabre/dav/lib/CalDAV/Backend, includes/stripe/stripe-php/lib/Service/BillingPortal, includes/stripe/stripe-php/lib/BillingPortal, includes/maximebf/debugbar/src/DebugBar/Bridge ...
$dolibarr_main_prod: 0 If you are on a production environment, you should set this property to 1.
$dolibarr_main_db_pass: Database password is NOT obfuscated in conf file (Recommended: Set option Encrypt database password stored in conf.php. It is strongly recommended to activate this option. to Yes)
Antivirus enabled on uploaded files: No - Recommended: Define a path for an antivirus program into Home - Setup - Security
UMask parameter for new files on Unix/Linux/BSD/Mac file system.: 0664 (Recommended: 0600 | 0660)
Security events that are audited: No security events are audited. You can enable them from menu Home - Setup - Security - Security events
Syslog: Module Syslog is activated with a too high logging level (try to use a lower level for better performances and security)

Performances (`.../admin/system/perf.php`)

Compression of HTTP responses:
Files of type javascript (.js.php) are not compressed by HTTP server

Security (.../admin/system/security.php)

Performances (.../admin/system/perf.php)

Security (`.../admin/system/security.php`)

Performances (`.../admin/system/perf.php`)