Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105893
Return-Path: <andreas@heigl.org>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39673 invoked from network); 13 Jun 2019 14:28:42 -0000
Received: from unknown (HELO hos109.unaxus.net) (195.191.240.18)
  by pb1.pair.com with SMTP; 13 Jun 2019 14:28:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=heigl.org;
	 s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:
	References:To:Subject:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID
	:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
	Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe
	:List-Post:List-Owner:List-Archive;
	bh=e3OD+uakGA/xA4XxeXUJVcIpS2wn1LTed4JTcd8RM5g=; b=GM0ycPczzepy6SEFvweeBgsHOz
	Ppguh0O7iL/a87qezOgPwmVlbSCHaPm4zgUk2cTki/aashL6re2COUds3l/xpe9VY+Qv1Bg0Du2p7
	BJvj/xwc1kOOkeDk7X8p2YM7XlKnnj1wPY6TvojWBB+8S34FPp14jNxLT19HHf7+FKMuXneLwQSz5
	AfzaURa7VNm9xjoXKr0FnXwlpuUpAuzT27JooMmnBv+CWWQl6EJ3tkbI0t+QXFNYbrF5FAtclbu5Y
	7jXzkg17KnXb7qdZMa/rPBJSUAMKcHwtTxP6Vye1gaz8g2KKOx19caAwY4eeKFJJ934HENF+GtXOS
	EGubs9xQ==;
Received: from ma.bitexpert.net ([82.119.168.218]:62377 helo=[192.168.13.3])
	by hos109.unaxus.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
	(Exim 4.92)
	(envelope-from <andreas@heigl.org>)
	id 1hbO73-008N09-Gf
	for internals@lists.php.net; Thu, 13 Jun 2019 13:41:49 +0200
To: internals@lists.php.net
References: <dabdf489-0d4a-5be9-8858-83448dfd5d9a@lsces.uk>
 <CAF+90c81XGOeWex+nxTT+qyprUocsJ0QbnhAcF7qMxQc0TUUSg@mail.gmail.com>
 <b33877b2-0dce-c06f-f3ea-9f33746879a2@heigl.org>
 <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>
Openpgp: preference=signencrypt
Autocrypt: addr=andreas@heigl.org; keydata=
 xsFNBFzEA7MBEACpvo0AbmZG6lUGMvDUebQcYVjOPrdqtnlb2WoZH9FrJyHyenzejO29VCju
 ekdhu44sUNgEHXxExUekguLDGZOzC9926g2rGDWO3MU1oqRlKURnOWsp/i0d9WM07ihj/lL6
 smT9YLeagtPCJporUiFW8JyIusBWWhlL8hp8ZDvEfmvi06xDXML3wXzH/KWmoew3LgdwCZPk
 QSIWemUDPZKcUL8eeVkhYIJA9VKQnGSx36p5T7Ch/l+iqiPlyY1GUNItX9AQjpr07V0kIjyK
 +yHn6Aw1uy1xWrLn7ATDX8YuMvaz72+c/P2zQReMWoZNfggd2FHOPRUHvHcC9C91PuzJh8e9
 hvtU/szDrPvvCVpg5aRymN/YPFJBSEqZfDelhD+8A1TJNPqSyzc21Qdd61636ynryawIW+Hx
 FT/UN1eA7V5/fdjeRyNUJd7B99Vo5A/lI25bIpg6cPLOLpVPFHEpNlGPQ8pcMRwnjG9GR74P
 TfH7Dy8Ksq8lpygPljJInZbz0870cHlM5XSdIPTXWQFfJi0e2kfaLCEni/Vih+eL0e5F7X3R
 taXY0HRFYHX8dY7ojf3sZJjdPVm3AQXY1yNkjnRxyJ/4gIwdFwYplU6lRBL92jdDLavPWVK4
 Dsil/woKmsCpxClWfU/MzmQlhbdH+x8V2SYOa4aJWiixx59DxQARAQABzSFBbmRyZWFzIEhl
 aWdsIDxhbmRyZWFzQGhlaWdsLm9yZz7CwY4EEwEKADgWIQRZ7tBmhrXNAHaUcA2o1UN+znJP
 5QUCXMQDswIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCo1UN+znJP5clsD/4vnmCp
 5oVIXdNXkK3PNajHR1ddpr2+Ake+bo6TS801MSd638f2Ug/eQmu6j0XuHbgJql9wnoDh0Oq4
 7bPxGTszPbbhD0FL1s6YBDqJKcz2okbmYRutumC52u4h8dGxbVjCM9le1rckK54aDjkzL27i
 GRNfQLw1vg9gdl1yRz866bZ75MItk/7BewJrodQ5zweNcDVOmYsePLpo13peB1mzDP/tuBH4
 CpoeDtAb/+Rc5Qv/J6P7iMDC4fPbFIl5//Ge7blMV98seXOAYMCvDYmLcJFbnESBla/8te8l
 KE2E1PjwnIeMvDfYHn17CYd2UqnmlQbJbN30/Y2eiPT9w7wjrgc+qGRWEU+huGMlrDXQmmAt
 HPADf08QwOWpDVoZ+WFsQEB3f2fsZtfOnxXv8yb+Q16kVcPWaRyvusT5KLT39h2VvZlhH8up
 orNimjs7+Rl8Fs7PP6n2L+OCnI1sSCTixBQT4MDNM6IVxqhy5j8M9ig3vR7czJgVVsDmKCFi
 gOibvIFgxfRH2A7JjyplO034eUw7I3IJdffuBWjZ8SCfwZ3sS67UaPy01UVovSQKikEJBfAD
 Ecl4X25YsHvHXCksYLoZHb6wvtFzUrjxXwipwzlWtNBR2gTB2lCfeCLcwYcHdN8qcgg+emxD
 kBHeL/Mlw5OLGW86dy6ha3BJDQgdL87BTQRcxAW4ARAAqP1yIU7DTFTNVyyNqsylliyCCGDf
 7k3KLpodAHoffLGlmI4OvB/379gmYRdAmeyV3FtxKgo1sy5x4hl0zLpmMApub4MYnNbh00ur
 b/e4TTzQPNLyihYLP6H2DODLc0FnS8P3O5cxeqqJoW6/cKCm2IMEZ6fKodgvOGh+vjkL+iNb
 dn1hO6oaCzK0odhIisXqIF5Mjais5UYmwVDrI7q014PlCbezRJ66f6oJtZvc4QJDKGnRbOW0
 ThG9uKme3g4o9R5qzOplG+DpC9j5w85FASdgLeaLafrlAiawE0trQM9Dhjbt4oyT/ePmNXdz
 beowuaQCONGXMUlzDKyxQE1yYjWC2g/2OraS4F2i0BdZK4Lb3BlZMSfP3yVaylXJhfAn52m/
 q2zQyMSwMFk/naK9gcA4EaESOOXMhlwe2B7LXZPZAVGan39QazGSxhJqfjOsRNsBT1mp+JA9
 qCIeQdeAilDGAfggZjJSYZCMwZdhrztx71cssApNhKLq0cYw6HGccmoxP38BbgCuXprhSq7n
 DJrJ8c2TDCXZKCZp6M7AUvTo/XvGIkfsgDA3sceNedhukjgkfSUsZxVATxCjoGmyDy2N3kH5
 9JwXYf5q/4ikoPuc4927G71Hrb0RXU21ExZ6rLC+290OcnWi90Oj4wjvxXtG5iyl52NgM2PH
 pm98XP8AEQEAAcLBdgQYAQoAIBYhBFnu0GaGtc0AdpRwDajVQ37Ock/lBQJcxAW4AhsMAAoJ
 EKjVQ37Ock/ly/cP/1SSqtqsRsUtSBkmmqMHJ3okcfPGXwU85LWpIW6l4Z1hcD/b7k2h3Es0
 aMBSFc3mueZP+ZkHirk0xLe5NGG9vZcKE/oqotdlf+9xASGlCviU+WT9vG50F5JKqqUc3K6O
 JQ84uYHmpreyjLFg5mKgh8l1NsV3gC56ny79Y37CSTHqA8y5fKpedKptc/rveFTl3/eHZapl
 fb+kFqMcMNpNsTVgQHlA9mM1FwGZ3KV2witTCERQR5m4OBwGqZqRVHsD37DuD6VBCahtSAOq
 5fXLGZ3PewbwgoWukmTL1xqxCIv2ozXw9JlNqdyMuRdVFzcfciZTM4kL6lM4gOzElqJU9mWK
 /7p0q3JF1Ie5QMBOLavEYYV2dnIy/ubm5P8RhQScnJ/mCqE+YJmfoMBq5bjdFSRaIH6WNkSW
 xfI/FW1EfrxisZbrIMngu7hBQKFbCFCRUN0Gj7RppyGYD9yks+x7GZAMIlxyeT+sKR9wljLu
 CWjkJTjKNDT8UWTr7XwJHQ2/ouI3fmI77iZCZbq9aesobv9NnBO/waAzjYAEx2ahZmM7m1rQ
 lPS636tUZ1QVZx/4SzNiMTBsgWLDQ0VtxcEmYe54+r8Y4o0vSrMcDYgBczZe/ASpSJB4AI1l
 Q3o3s5p3AeYsYPBtBsysSAbd0uZ65EDc9xwSRLiMJj+x8jGy2xtu
Message-ID: <2581d1da-2559-9ab9-e0ea-7164ac9652c0@heigl.org>
Date: Thu, 13 Jun 2019 13:41:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="l3quF7sx3OIHhpdfUG3svk26EijsTm3kE"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hos109.unaxus.net
X-AntiAbuse: Original Domain - lists.php.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - heigl.org
X-Get-Message-Sender-Via: hos109.unaxus.net: authenticated_id: a.heigl@heigl.org
X-Authenticated-Sender: hos109.unaxus.net: a.heigl@heigl.org
Subject: Re: [PHP-DEV] The real world ...
From: andreas@heigl.org (Andreas Heigl)

--l3quF7sx3OIHhpdfUG3svk26EijsTm3kE
Content-Type: multipart/mixed; boundary="d1Sa8nbFAX7IoU76j3Q7Dknvekka9h8sR";
 protected-headers="v1"
From: Andreas Heigl <andreas@heigl.org>
To: internals@lists.php.net
Message-ID: <2581d1da-2559-9ab9-e0ea-7164ac9652c0@heigl.org>
Subject: Re: [PHP-DEV] The real world ...
References: <dabdf489-0d4a-5be9-8858-83448dfd5d9a@lsces.uk>
 <CAF+90c81XGOeWex+nxTT+qyprUocsJ0QbnhAcF7qMxQc0TUUSg@mail.gmail.com>
 <b33877b2-0dce-c06f-f3ea-9f33746879a2@heigl.org>
 <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>
In-Reply-To: <f32890f7-710a-0476-de04-399516a274fa@lsces.uk>

--d1Sa8nbFAX7IoU76j3Q7Dknvekka9h8sR
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hey Lester, hey All

Am 13.06.19 um 10:36 schrieb Lester Caine:
> On 13/06/2019 08:55, Andreas Heigl wrote:
>>> display_errors=3DOff in production.
>=20
> Which give a white screen ... fine for security but useless for people
> using the site!
>=20
>> While that makes absolute sense perhaps thinking whether there is a wa=
y
>> to mark password-parameters in core-functions and hide them in
>> Stack-traces might improve security as that would also hide
>> user-provided credentials in log-files.
>> That would not target userland methods/functions. Though having a
>> Core-Value-object for credentials might even allow*that*
>=20
> Sanitising things would be a nice to have especially where log files ar=
e
> on 'cloud' storage, but the ability to give an end user some indication=

> that there is a problem WHILE display_errors=3DOff would be helpful? I
> know the white screen problem has been discussed many time over the
> years ...
>=20
> Personally I STILL use display_errors=3Don and just make sure that
> sensitive information is not displayed in the stack. Most of the time i=
t
> IS just the warnings one gets and clients can report them and see they
> are cleared ... so some sort of middle ground between off and on would
> be helpful?

If you're so keen on providing the user something to see without having
to use display_errors=3Don: Have you had a look at
https://php.net/register_shutdown_function ?

You can always use that to figure out whether there was a fatal error
and then display something nice to the user.

No leaked stacktrace, no leaked credentials, user is informed, everyone
is happy :-)

Cheers

Andreas
--=20
                                                              ,,,
                                                             (o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl                                                       |
| mailto:andreas@heigl.org                  N 50=C2=B022'59.5" E 08=C2=B0=
23'58" |
| http://andreas.heigl.org                       http://hei.gl/wiFKy7 |
+---------------------------------------------------------------------+
| http://hei.gl/root-ca                                               |
+---------------------------------------------------------------------+


--d1Sa8nbFAX7IoU76j3Q7Dknvekka9h8sR--

--l3quF7sx3OIHhpdfUG3svk26EijsTm3kE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOHo7et0VdZk8RJK34Ff+SCK3tkUFAl0CNnQACgkQ4Ff+SCK3
tkWQRhAAq4VNHHJsp7vcSHGWw+UyJ+hXtTO2c3vG/HyEzfYc3iiH0bhLRq5ESked
yaAWe7CBBFQchIOArwvyyz5JE4WgKTs+Vjo0octE1objpLm66Dw21oT9cO+n9wxe
Z18yX3FQFMYPLZbVgpmBobEIhbpe88eAFbYuf9Qzl8CCEUsdj1mrR7bTzGXdLorj
T89LzwCu+YSvIZh3oRflMjQipsvVlCI+zVZUFzHS8cfHEA9kD3rSonQeiMJK66kU
3yB0Ohh4olDqrczjP75rbezaNCMAGmH++o81nSXXa0ioBtglXC61E4DvfZxuuYjT
M3ApDKkyl4qXtPOU8VXjszAfq7I4P0MNT8Ot+cMEPDx9S1t9fPWlrNWb5r5NOOyz
4/O1yTtosyBKit14jhH0zVubtbO5TioOuHmeuiemfQ2MbF9TBArDTyACOPvH862R
+Z1H6iv90vzlOt71W6K7hS3sxXQkP3l0NMXQNNLuUpt3uMMrZA2AsZgu4grxbzTE
V3kZBAJWI6KOgow08PpE+aYY5LlM6pwFblGp55DkAOtVEIHWkJplcn6ELH8Cz6Rh
/PHY2a7zjvi9FlyonSuV9ZEPR6ok4GcOy2O7F9NpvTYK5nagB8B3RT+pXADhFTxR
Km4CyutF8sl4J91++U/giNx9mbSyNet4cXLROZAUNXNKnP1Byio=
=dgEb
-----END PGP SIGNATURE-----

--l3quF7sx3OIHhpdfUG3svk26EijsTm3kE--