Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57212 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 62317 invoked from network); 4 Jan 2012 21:01:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jan 2012 21:01:40 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qy0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:33057] helo=mail-qy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 94/54-50667-13EB40F4 for ; Wed, 04 Jan 2012 16:01:39 -0500 Received: by qcsd16 with SMTP id d16so11089652qcs.29 for ; Wed, 04 Jan 2012 13:01:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5WW+sPjq4TGnszLVi+psgpM/ue/KStFlkcLjzmFQ508=; b=OPQl4rnVCHcEc1zoxKQ/r5klMjtF38EH76I5hf2IwnlS/9Rv1ZyIu9ut0MDmsbsC/n lNNkvvzibV1ko1PPNQ7UZNeHfWyjipdnjq8nJ1GnTgPqSOy/E8+Ui16FPA5iau8IjvNg r5eEn1qGSj6v4YJsX6R74LjBxEWXJiIRkfei4= MIME-Version: 1.0 Received: by 10.229.76.78 with SMTP id b14mr21149157qck.138.1325710861616; Wed, 04 Jan 2012 13:01:01 -0800 (PST) Received: by 10.229.54.140 with HTTP; Wed, 4 Jan 2012 13:01:01 -0800 (PST) In-Reply-To: <4F04BCF9.30802@lerdorf.com> References: <4F048A03.4070408@sugarcrm.com> <4F04A172.7080509@sugarcrm.com> <4F04AA8E.6020701@sugarcrm.com> <4F04AD6D.80608@php.net> <4F04B071.8080102@php.net> <4F04B44D.6080208@thelounge.net> <4F04BCF9.30802@lerdorf.com> Date: Wed, 4 Jan 2012 22:01:01 +0100 Message-ID: To: Rasmus Lerdorf Cc: Reindl Harald , internals@lists.php.net Content-Type: multipart/alternative; boundary=00235429e0b8fb462e04b5ba1c3f Subject: Re: [PHP-DEV] Re: another fix for max_input_vars. From: tyra3l@gmail.com (Ferenc Kovacs) --00235429e0b8fb462e04b5ba1c3f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jan 4, 2012 at 9:56 PM, Rasmus Lerdorf wrote: > On 01/04/2012 12:19 PM, Reindl Harald wrote: > > > > > > Am 04.01.2012 21:07, schrieb Paul Dragoonis: > > > >> I agree with Rasmus here. A lot of people keep display_errors > >> on, even when they shouldn't. > > > > it is not the job of a programming language stop admins from > > beeing stupid - the defaults have to be sane and this is > > display_error OFF, if somebody decides for whateever reason to turn > > it on it is not yours or anybody others decision to ignore the > > setting here, and there and there also but there not > > Yes, but display_errors is not off by default, that is the problem. If > we could get away with turning display_errors off by default, then I > agree that we don't need this. As it is currently, the default setup, > if people don't do anything, will result in a security problem because > of this. > > -Rasmus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > I just got the tip that this error is only shown if display_startup_errors is set to true, and because it is in the startup routine the file path in the error message (which is the real infoleak) would only point to "unknown 0". If somebody has the time to double check/test this, it would be nice. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --00235429e0b8fb462e04b5ba1c3f--