Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:11551 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74136 invoked by uid 1010); 25 Jul 2004 15:20:17 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 74054 invoked from network); 25 Jul 2004 15:20:17 -0000 Received: from unknown (HELO mail.omniti.com) (66.80.117.3) by pb1.pair.com with SMTP; 25 Jul 2004 15:20:17 -0000 Received: from ([66.80.117.254:46469]) by mail.omniti.com (ecelerity HEAD) with SMTP id 90/73-02808-0BFC3014; Sun, 25 Jul 2004 11:20:20 -0400 In-Reply-To: References: <20040725155303.2C25.PHP@ter.dk> Mime-Version: 1.0 (Apple Message framework v618) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-ID: <15EEE370-DE4E-11D8-8C5A-000D93359332@omniti.com> Content-Transfer-Encoding: 7bit Cc: George Schlossnagle , Peter Brodersen , internals@lists.php.net Date: Sun, 25 Jul 2004 11:19:56 -0400 To: Adam Maccabee Trachtenberg X-Mailer: Apple Mail (2.618) Subject: Re: [PHP-DEV] Bugreports - is it worth it? (or: glob() disclosing file names with open_basedir and safe_mode-restriction) From: george@omniti.com (George Schlossnagle) On Jul 25, 2004, at 11:12 AM, Adam Maccabee Trachtenberg wrote: > On Sun, 25 Jul 2004, Peter Brodersen wrote: > >> If nobody wants to give an answer to the above, my question would >> still be: >> Is there any way restricting people from retrieving file names (where >> open_basedir and safe_mode obviously won't help), besides adding glob >> to >> disable_functions in php.ini? > > Why don't you set display_errors to Off? Or am I missing something? Because I can set them On in my script, then go guessing at filenames on the server. George