Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57196
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36023 invoked from network); 4 Jan 2012 19:50:12 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Jan 2012 19:50:12 -0000
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.210.170 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com  
Received: from [209.85.210.170] ([209.85.210.170:62533] helo=mail-iy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/CE-50667-47DA40F4 for <internals@lists.php.net>; Wed, 04 Jan 2012 14:50:12 -0500
Received: by iafj26 with SMTP id j26so35855957iaf.29
        for <internals@lists.php.net>; Wed, 04 Jan 2012 11:50:09 -0800 (PST)
Received: by 10.50.41.131 with SMTP id f3mr67926659igl.28.1325706608732;
        Wed, 04 Jan 2012 11:50:08 -0800 (PST)
Received: from [192.168.200.5] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPS id l28sm192646904ibc.3.2012.01.04.11.50.06
        (version=SSLv3 cipher=OTHER);
        Wed, 04 Jan 2012 11:50:06 -0800 (PST)
Sender: Rasmus Lerdorf <rasmus@lerdorf.com>
Message-ID: <4F04AD6D.80608@php.net>
Date: Wed, 04 Jan 2012 11:50:05 -0800
Organization: PHP Development Team
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Ferenc Kovacs <tyra3l@gmail.com>
CC: Stas Malyshev <smalyshev@sugarcrm.com>, Laruence <laruence@php.net>, 
 PHP Internals <internals@lists.php.net>
References: <CABBJUpc7T2QZm8QiitQ0wZ5RsY=3Jwy_UERSvLT9unNYtJ1mZA@mail.gmail.com> <CABBJUpcVkYwU4zN0dG2b+jYkppnY9HR8wm7FV0tnmGt6ky5wQg@mail.gmail.com> <CABBJUpeN4iJ6mVUKEEz8qxY25zxTmwg8EigpsmxnZGz5xshMhw@mail.gmail.com> <4F048A03.4070408@sugarcrm.com> <CAH-PCH69gV88qnQ7OHhGHSt70oD7f9Z_HCFD7dfW6SmBR6z2tQ@mail.gmail.com> <4F04A172.7080509@sugarcrm.com> <CAH-PCH5BUsrXKLtk6JWCOA8d5+2DxSke3UAnbBraJyGP-YnQnA@mail.gmail.com> <4F04AA8E.6020701@sugarcrm.com> <CAH-PCH6YH3ZxH5XzEm6+gsikaHjyL-pdHyAs=OnFhWqHk0CctQ@mail.gmail.com>
In-Reply-To: <CAH-PCH6YH3ZxH5XzEm6+gsikaHjyL-pdHyAs=OnFhWqHk0CctQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: another fix for max_input_vars.
From: rasmus@php.net (Rasmus Lerdorf)

On 01/04/2012 11:46 AM, Ferenc Kovacs wrote:
> On Wed, Jan 4, 2012 at 8:37 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:
> 
>> Hi!
>>
>>
>>     Could you please elaborate on that part - where is the disclosure
>>>    and what exactly is being disclosed?
>>>
>>>
>>> I would guess that the value of that said limit. (it is the only
>>> variable in the error message).
>>>
>>
>> This is an error message, it's not visible to anybody. Even if it were, I
>> don't see a problem with it. Usually people mean different thing by
>> information disclosure, but without proper report of course it is
>> meaningless to talk about it.
> 
> 
> /* do not output the error message to the screen,
> this helps us to to avoid "information disclosure" */
> 
> I don't think that it is a high importance, but with display_errors
> enabled, it does leak otherwise unobtainable (if you don't have publicly
> available phpinfo files, which most person with enabled display_errors
> does) info.
> 
> So while I don't feel strongly about it, I wanted to mention it.

Since it is one of these remotely-triggered errors that you can't
program around, it should probably be suppressed when display_errors is
on. There is another precedence for this, but I am drawing a blank on
where else we did this right now.

-Rasmus