Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127097 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 897841A00BC for ; Fri, 11 Apr 2025 11:12:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1744369778; bh=BLrm0rgqlrd3xPE1w8F4K95HzPg4NDq2kRtZLr6dEQc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=O1p8cGFajuucIBF6ybx/ctv/szCvTQFog5QZhS4u840AGOZ0z6mQurKlu2WEg3uRM uWReo67dda/htVwfDXKPRBKAjT2NMPDXKfbpG5eXw6JH5GYI2QqS+0um+ZzNFjExq9 s+DqPthmJQJbP22owLSJsz/UaZkEfYnQz3JSXEGmHQgqrpjUTiAc9biTG5dEEilnb/ /He8PS7rFePqDgd9W9gYti+Nk8JeDbK1I9uMwNvmxJnNqRq0ch0KBBurCov+lwBuSu mv+1icT9VZt4akXhy0ScYmpwH41N/fZb/RAbFyTCgq+r4vjV8eUWLoFvEY70+hNVmn Jbltzb/C+SU4A== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C92CB180052 for ; Fri, 11 Apr 2025 11:09:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 11 Apr 2025 11:09:37 +0000 (UTC) Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-30bfca745c7so16292071fa.0 for ; Fri, 11 Apr 2025 04:12:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744369919; x=1744974719; darn=lists.php.net; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=BLrm0rgqlrd3xPE1w8F4K95HzPg4NDq2kRtZLr6dEQc=; b=eIWg8LiyQ7S63e1djuI96sg/VDRMnx3ElS4m1RtwHBvk2cha5GN0d9gS95y24pWCQ1 kQD/6kEKieR3SRPL4cH1gvMbXmZFlbnxic68oOJA3S/BUlbbCkTe8+b5mxzSSnXtnwKs 4lxgxMQaL6e0lAj8GxiklcEAwq16zsvHbjkBc9zezIUBSoVETd3xHTsWJTiIOlDNt0qI HsLaQB19M8qkAQYFeyvaBItkv8gNgpTGvT8Gb7yE/vvPs8AsXG1sPxxrPN9+ickzC3N6 u37DmySJwTiw0DWYUnZyqjp1U3jm3zQoXMup0pH6i5KLbDpz18TwR73Xy0FWxC2zoWXz WDSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744369919; x=1744974719; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BLrm0rgqlrd3xPE1w8F4K95HzPg4NDq2kRtZLr6dEQc=; b=dQ160IipBx99G0UGIX2eMMjadV+WQD9xzHQrF24S1V/Ed+7XM9ls9j82WIShhFCpDr G2Wc5WtclV/usLfbfaykqE+6lT2AXij13wMDrPKUIPPPMIMzHOkKZFR6ZE2hzJgYG66r nOKvVs5vXya4dy3N+3IyMXlUvXedIdZYTm7Vqve0Gc48Gdu8nW1EVECqUpjAbuXHo6/U PakS/6zYzC6pE+jBaQ79L4II4IpHm/eg53mdAUYaR5lsNyOxrAtvfAgTPO4mBWSnFuGV 7TNBPs0bntyRoyOmkU7MV6I4RGBfMG50e4alzOv6uc0QIF7hnrqpXT4FA9/kLk2xrJja l+yg== X-Gm-Message-State: AOJu0YxHszui3Laae11+/3pDK8ugTa5Q7EmfK2EA3cPr6jcsCKTbIkaw sOlo553qnX+QqYPpvq1pH1y/KzKPtEUsAbekCirpzIxAepLAGnJTbfJ3YIUd9D03FrH61mdED8p Q+Xzv6xbO1kggj36ldHDPEUMH8xq9rHO/ X-Gm-Gg: ASbGncut/zL3Te8Qvf00da+b5DYaObUBBtosPuS7sXYTFdVkfoxsEuQ18fussWPths4 k9qGTb87GF6y7MHICw44+bWMrmO+CnY08ePNgWBM1rJL2cCnoV147v4ilvt1nZvQYGdUJz/V+7L FCje3tTxYfhjdjabSQKZ4= X-Google-Smtp-Source: AGHT+IHlbvfedHoZUzlw8iIwbxvChzgUiQHaz5i1hbisrcxRYn2cRJasDQMAgUZ5sD7rW6Alwli4MBf6/RaD/azC4EM= X-Received: by 2002:a2e:be9e:0:b0:30c:2da3:1493 with SMTP id 38308e7fff4ca-31049a1ce29mr7244761fa.19.1744369919140; Fri, 11 Apr 2025 04:11:59 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <2e02e8bd16ccd8f326a014fa3812da43@bastelstu.be> In-Reply-To: Date: Fri, 11 Apr 2025 12:11:46 +0100 X-Gm-Features: ATxdqUGVGomAXucrBZJznEPxSMwQnT2fJvsoJ6yNmpKH7vFM-0Syaf9MsoGzTXU Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting To: Andrew Lyons Cc: php internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable From: tekiela246@gmail.com (Kamil Tekiela) > In an ideal world they are never revealed to the end user, but real-world solutions fall short. It's not uncommon for people to have display_errors enabled for some reason or another. It is also possible for sites to be misconfigured, or for applications to make mistakes and accidentally dump stack traces without realising that they may contain arguments. Not all applications make use of an error handling framework, and people may enable display_errors without understanding the ramifications. Developers and system administrators are able to mess up their INI settings in whatever way they want. We can't prevent that. It's a much bigger issue if someone has display_errors set to On in production environment, and they could also have set the exception_ignore_args to Off. We can only suggest the default values for the production environment. In such a case, I'd argue that setting exception_ignore_args to Off while having display_errors=3DOff isn't a big problem. The exception is already sensitive information, maybe not on the level of PII, but it's definitely something that needs to be securely protected from end users. >Can you elaborate? Setting it Off by default increases the risk of accidental information leakage when apps aren=E2=80=99t correctly configure= d. That's great for developers, but for production sites that's not a good idea. There is no way to guarantee that every PHP application is a perfect, well-configured, system which uses the latest frameworks. Many of us are dealing with massive legacy codebases. Accidental leakage isn't a good argument for keeping this setting On in production. There should be no accidental leakage, and to prevent that PHP recommends setting display_errors to Off in the production environment. It is possible that some application messed up so badly that even with display_errors=3DOff they might still expose stack trace to the user, but that's a security bug that should already be reported to the application developers regardless of whether the stack trace contains arguments or not. In my opinion, the only valid argument here is whether it's ok for arguments to be present in the log files. This would only occur due to an Exception, Error or Warning/Notice being triggered by the code. Error log files are supposed to be checked regularly, and errors should be fixed. Thus, it's only in exceptional situations that this would happen, i.e. yet an undiscovered bug. Log files should be treated with similar care as the database, with only the administrators having controlled access. This means that the only information that should not appear in log files is the same information one wouldn't expect to find in the database, e.g. passwords. We have a solution for this now, it's #[SensitiveParameter]. You do bring up a good point that many applications still do not use it due to wanting to support older PHP versions, but keep in mind that exception_ignore_args is only available as of PHP 7.4, so users of older PHP versions are screwed either way. Those on PHP 7.4 > 8.2 can use this INI setting as a substitute for the new attribute. On the other hand, if an undiscovered bug happens in the production environment, it is very useful to know exactly under what circumstances that happened. Having the full arguments or even just a truncated part in the stack trace in your log files could make finding the bug much easier. So it's probably even more important to have the arguments in the production environment than it is in the development.