Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57199 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40502 invoked from network); 4 Jan 2012 20:07:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jan 2012 20:07:27 -0000 Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: dragoonis@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qy0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:45537] helo=mail-qy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CD/AF-50667-E71B40F4 for ; Wed, 04 Jan 2012 15:07:26 -0500 Received: by qcsd16 with SMTP id d16so11053790qcs.29 for ; Wed, 04 Jan 2012 12:07:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HZTZJ9bYI7NdBSplh53BKbmp6g4vij6uoWG3akamCHE=; b=UCs1x0uJRyEDMqjXpJSZhCLkyyTw3iuGcKrYCSGg136eZgY8I842jAtSc5NJ707zcV Vtdj4PYRRgbgRWV7LbM81UbxcTVife90CHE354+r2IHjW+73Mpi+HpGOr7calI8Q6GgH qizVr1/szuNL6wLSNcHcuIlJxtNLrOEnq00r8= MIME-Version: 1.0 Received: by 10.224.185.6 with SMTP id cm6mr68516104qab.89.1325707643349; Wed, 04 Jan 2012 12:07:23 -0800 (PST) Received: by 10.229.39.72 with HTTP; Wed, 4 Jan 2012 12:07:23 -0800 (PST) In-Reply-To: <4F04B071.8080102@php.net> References: <4F048A03.4070408@sugarcrm.com> <4F04A172.7080509@sugarcrm.com> <4F04AA8E.6020701@sugarcrm.com> <4F04AD6D.80608@php.net> <4F04B071.8080102@php.net> Date: Wed, 4 Jan 2012 20:07:23 +0000 Message-ID: To: Rasmus Lerdorf Cc: Nikita Popov , Ferenc Kovacs , Stas Malyshev , Laruence , PHP Internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Re: another fix for max_input_vars. From: dragoonis@gmail.com (Paul Dragoonis) Inline. On Wed, Jan 4, 2012 at 8:02 PM, Rasmus Lerdorf wrote: > On 01/04/2012 11:54 AM, Nikita Popov wrote: >> On Wed, Jan 4, 2012 at 8:50 PM, Rasmus Lerdorf wrote: >>> Since it is one of these remotely-triggered errors that you can't >>> program around, it should probably be suppressed when display_errors is >>> on. There is another precedence for this, but I am drawing a blank on >>> where else we did this right now. >>> >>> -Rasmus >> You mean like with htmlspecialchars() before PHP 5.4? Please don't. >> It's really non-obvious to start hiding errors as soon as you enable >> error display. > > But there is a very valid security concern here. People can usually run > safely with display_errors enabled if their code is well-written. They > can check for potential errors and avoid them. This one can't be checked > for and you could easily write a scanner that scoured the Net for sites > with display_errors enabled by sending a relatively short POST request > to each one and checking for this error. And there is absolutely nothing > people could do about this short of turning off display_errors which we > know from experience a lot of people just don't do no matter how much we > suggest it. I agree with Rasmus here. A lot of people keep display_errors on, even when they shouldn't. It log_errors is on, it should go to the error_log, but with display_errors it should never be sent back to the browser. - Paul Dragoonis. > > The alternative is to just not have any error message at all. That > avoids the discrepancy between the error messages with display_errors on > and off. > > -Rasmus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >