Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27051 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69426 invoked by uid 1010); 16 Dec 2006 21:27:23 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 69411 invoked from network); 16 Dec 2006 21:27:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2006 21:27:23 -0000 Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4) Received: from [212.25.124.162] ([212.25.124.162:15487] helo=mail.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A2/09-22993-89464854 for ; Sat, 16 Dec 2006 16:27:23 -0500 Received: (qmail 10874 invoked from network); 16 Dec 2006 21:25:15 -0000 Received: from unknown (HELO ?127.0.0.1?) (192.168.2.101) by internal.zend.office with SMTP; 16 Dec 2006 21:25:15 -0000 Message-ID: <45846491.6020101@zend.com> Date: Sat, 16 Dec 2006 13:26:41 -0800 Organization: Zend Technologies User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 To: Ilia Alshanetsky CC: PHP internals References: <20061215201448.B16D8BC1AB@spike.porcupine.org> <7AE00699-23C2-4759-A50C-3D94199DA85A@prohost.org> <45831090.1000704@zend.com> <18A7CF93-7BFD-4764-847D-6C107A62875E@prohost.org> <45831A87.6050301@zend.com> <45832B9B.2080109@zend.com> <8BC86061-CCC5-45C3-8C40-92B06ADBB117@prohost.org> <45832F71.2080503@zend.com> <7C8CB695-3E81-4009-9699-2499DBF7B366@prohost.org> <4583375C.5060302@zend.com> <2F093E93-7021-4C0F-A391-A99CBF080596@prohost.org> <45833C93.4020909@zend.com> <87774C2D-1959-459A-B892-F2F6F6A5C676@prohost.org> <45835ABE.5040909@zend.com> <6526D55D-DC87-40D4-8335-CCB0FA810646@prohost.org> In-Reply-To: <6526D55D-DC87-40D4-8335-CCB0FA810646@prohost.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Run-time taint support proposal From: stas@zend.com (Stanislav Malyshev) > You seem to be ignoring the argument and clinging to a false assumption > that only people with open phpinfo()s have disable_errors enabled. I > guarantee you that is not the case for the most part. Well, there's little we can do in that part except for educating users and changing defaults. The problem is not unique to PHP of course - I have seen JSP and ASP error messages on most sensitive sites with paths etc. so many times. But that's entirely unrelated problem. >> No solution can help a person who deliberately configures his server >> wide open. > > Accidentally leaving phpinfo(), is wide open? I suppose if I were to If you consider exposing script file name a problem, on that scale having phpinfo() available to google is wide open indeed. > demonstrate a vulnerability on zend.com it would imply Zend does not > care about security? If you know of vulnerability on zend.com, please write to webmaster@zend.com, that would be only responsible course of action. However, I do not see how having vulnerabilities imply not caring for security. > You're not helping them, just making assumptions about how their code > should work and making them adhere to them. Yes, and this is helping. Every language does that. Saying "you can't make 100% work exactly as I wanted without any effort, so entire thing isn't even worth discussing" is a road nowhere. There's a lot of places it would be helpful, and there's a lot of places it won't - and that's ok. -- Stanislav Malyshev, Zend Products Engineer stas@zend.com http://www.zend.com/