Security and performances issues
Opened this issue · 0 comments
dbitouze commented
Thanks for providing Docker images for Dolibarr!
For instance, the 17.0.0-php8.1
one seems to have security and performances issues (I must admit that I'm far to be an expert with PHP and Docker so maybe these issues are irrelevant for a Docker image; but anyway, I wanted to let you know):
Security (.../admin/system/security.php
)
- PHP
session.use_strict_mode
= No (Recommended: 1) - PHP
allow_url_fopen
= 1 (Recommended: No) - PHP disable_functions =
You should disable PHP functions:pcntl_alarm
,pcntl_fork
,pcntl_waitpid
,pcntl_wait
,pcntl_wifexited
,pcntl_wifstopped
,pcntl_wifsignaled
,pcntl_wifcontinued
,pcntl_wexitstatus
,pcntl_wtermsig
,pcntl_wstopsig
,pcntl_signal
,pcntl_signal_get_handler
,pcntl_signal_dispatch
,pcntl_get_last_error
,pcntl_strerror
,pcntl_sigprocmask
,pcntl_sigwaitinfo
,pcntl_sigtimedwait
,pcntl_exec
,pcntl_getpriority
,pcntl_setpriority
,pcntl_async_signals
Except if you need to run system commands in custom code, you shoud disable PHP functions:passthru
,shell_exec
,system
,proc_open
,popen
- Permissions on files in web root directory: Some files or directories are not in a read-only mode
Example:install/doctemplates/adherent/1
,install/doctemplates/adherent/2
,install/doctemplates/adherent/3
,install/doctemplates/adherent/4
,core/filemanagerdol/browser/default/images/icons/32
,includes/webklex/php-imap/vendor/illuminate/contracts/Auth/Access
,includes/swiftmailer/lib/classes/Swift/AddressEncoder
,includes/stripe/stripe-php/lib/ApiOperations
,includes/webklex/php-imap/vendor/illuminate/contracts/Auth
,includes/swiftmailer/lib/classes/Swift/Transport/Esmtp/Auth
,includes/sabre/sabre/dav/lib/DAV/Auth
,includes/sabre/sabre/http/lib/Auth
,includes/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Worksheet/AutoFilter
,includes/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Shared/Escher/DggContainer/BstoreContainer/BSE
,includes/sabre/sabre/dav/lib/DAV/Locks/Backend
,includes/sabre/sabre/dav/lib/DAV/PropertyStorage/Backend
,includes/sabre/sabre/dav/lib/DAV/Auth/Backend
,includes/sabre/sabre/dav/lib/CardDAV/Backend
,includes/sabre/sabre/dav/lib/CalDAV/Backend
,includes/stripe/stripe-php/lib/Service/BillingPortal
,includes/stripe/stripe-php/lib/BillingPortal
,includes/maximebf/debugbar/src/DebugBar/Bridge
... $dolibarr_main_prod
: 0 If you are on a production environment, you should set this property to 1.$dolibarr_main_db_pass
: Database password is NOT obfuscated in conf file (Recommended: Set option Encrypt database password stored inconf.php
. It is strongly recommended to activate this option. to Yes)- Antivirus enabled on uploaded files: No - Recommended: Define a path for an antivirus program into Home - Setup - Security
- UMask parameter for new files on Unix/Linux/BSD/Mac file system.: 0664 (Recommended: 0600 | 0660)
- Security events that are audited: No security events are audited. You can enable them from menu Home - Setup - Security - Security events
- Syslog: Module
Syslog
is activated with a too high logging level (try to use a lower level for better performances and security)
Performances (.../admin/system/perf.php
)
Compression of HTTP responses:
Files of type javascript (.js.php
) are not compressed by HTTP server