OpenML icon indicating copy to clipboard operation
OpenML copied to clipboard
verified publisher icon openml

Security hardening: disable expose_php, raise max_input_time, remove Indexes

Open lucifer4330k opened this issue 1 month ago • 2 comments

Security hardening for server defaults.

Findings

  • php.ini has expose_php = On. Best practice is Off.
  • php.ini has max_input_time = 60, which can abort large multipart/form-data uploads while PHP is still reading POST data. After raising upload limits to 5G, this should be increased.
  • Apache site config docker/config/api.conf sets Options Indexes for the document root, enabling directory listings (not needed for API).

Proposed changes

  • Set expose_php = Off in docker/config/php.ini.
  • Set max_input_time = 3600 (or -1) in docker/config/php.ini.
  • Change <Directory /var/www/openml> Options to remove Indexes.

Acceptance criteria

  • No directory listing anywhere under DocumentRoot.
  • expose_php disabled.
  • Large uploads do not time out during PHP input parsing.

lucifer4330k avatar Nov 17 '25 09:11 lucifer4330k

Hi @lucifer4330k I'd love to work on this issue. Can you assign me?

agarwalavantika avatar Nov 20 '25 17:11 agarwalavantika

Hi @lucifer4330k

I've updated OpenML/docker/config/php.ini to harden the PHP runtime: turned off expose_php so responses no longer include the PHP signature, and raised max_input_time to 3600 seconds to keep multi‑GB multipart uploads from failing mid‑stream. Adjusted OpenML/docker/config/api.conf so the document root uses Options -Indexes ..., preventing Apache from serving directory listings for the API.

Kindly check my latest PR:https://github.com/openml/OpenML/pull/1276

Aymuos22 avatar Nov 26 '25 04:11 Aymuos22