Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27011
Return-Path: <iliaal@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23352 invoked by uid 1010); 16 Dec 2006 00:05:29 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 23336 invoked from network); 16 Dec 2006 00:05:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Dec 2006 00:05:29 -0000
Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.182.188 as permitted sender)
DomainKey-Status: good
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: iliaal@gmail.com
X-Host-Fingerprint: 64.233.182.188 nf-out-0910.google.com Linux 2.4/2.6
Received: from [64.233.182.188] ([64.233.182.188:6796] helo=nf-out-0910.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 68/C7-10210-30833854 for <internals@lists.php.net>; Fri, 15 Dec 2006 19:04:54 -0500
Received: by nf-out-0910.google.com with SMTP id l35so1356534nfa
        for <internals@lists.php.net>; Fri, 15 Dec 2006 16:04:16 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender;
        b=JfLAiBC1LagMWTJLNyr5Wc3MPTcl0Nx/2BNYWdeCYN1d7hpLuUuXIAPbqsnyjOr0//sgcy86a1Z4ZAOHjhF6l853hpbkRBqH6xDMW4nOPxLnDEH78xiC7nnxl1x6peMRbDqsUGG3Qu+BhNtOzFPYIHB25dkW2u1Xu5TvAyCXDQ8=
Received: by 10.49.42.5 with SMTP id u5mr3409486nfj.1166227455872;
        Fri, 15 Dec 2006 16:04:15 -0800 (PST)
Received: from ?192.168.1.5? ( [74.108.69.82])
        by mx.google.com with ESMTP id o53sm16876802nfa.2006.12.15.16.04.14;
        Fri, 15 Dec 2006 16:04:15 -0800 (PST)
In-Reply-To: <4583375C.5060302@zend.com>
References: <20061215201448.B16D8BC1AB@spike.porcupine.org> <7AE00699-23C2-4759-A50C-3D94199DA85A@prohost.org> <45831090.1000704@zend.com> <18A7CF93-7BFD-4764-847D-6C107A62875E@prohost.org> <45831A87.6050301@zend.com> <EED341E1-CC7E-4573-BF76-1EE50B01C7A1@prohost.org> <45832B9B.2080109@zend.com> <8BC86061-CCC5-45C3-8C40-92B06ADBB117@prohost.org> <45832F71.2080503@zend.com> <7C8CB695-3E81-4009-9699-2499DBF7B366@prohost.org> <4583375C.5060302@zend.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <2F093E93-7021-4C0F-A391-A99CBF080596@prohost.org>
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: 7bit
Date: Fri, 15 Dec 2006 19:04:10 -0500
To: Stanislav Malyshev <stas@zend.com>
X-Mailer: Apple Mail (2.752.3)
Sender: Ilia Alshanetsky <iliaal@gmail.com>
Subject: Re: [PHP-DEV] Run-time taint support proposal
From: ilia@prohost.org (Ilia Alshanetsky)


On 15-Dec-06, at 7:01 PM, Stanislav Malyshev wrote:

>> the harm. One simple exploit leading to information disclosure is  
>> to pass it an array() causing the function to generate an error  
>> exposing the script's path.
>
> You mean when running with display_errors = on? Ouch.

Something that most servers do (almost 80% by recent stats).
http://www.nexen.net/images/stories/phpinfos/display_errors.png

Ilia Alshanetsky