Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72130 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 50849 invoked from network); 3 Feb 2014 21:45:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 21:45:48 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.182 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.213.182 mail-ig0-f182.google.com Received: from [209.85.213.182] ([209.85.213.182:38551] helo=mail-ig0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/46-35654-B0E00F25 for ; Mon, 03 Feb 2014 16:45:47 -0500 Received: by mail-ig0-f182.google.com with SMTP id uy17so5178628igb.3 for ; Mon, 03 Feb 2014 13:45:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WkWtARP387pmofAF3Jqifqcx/BHEoFl0kJnDi1WUqcY=; b=ceehuceCYqtTMcsOdClZtJpB1h80xfsiPu4WAjzL77xyAtdEnyKYR1ZEL6HXS6VZYL Sm1AaiO5UfpbkJkL97uUNW+YBOFBFXb2pSfkVRFeqnUGUsBlYYyXsOTB3qTlSrDFGymN v9BKltDvuiPthWvI2B4te+qvL7/SHgGwVzYM2qPOMjabxf+gZl33wk0hdL6Mws7cXeEn z7mCdvn2nGw2egXtlI+VdCgSoqRx9JH02ZUcM3FIB0C5Qjhy+5XQBHUZIdmSmpWqa3Mb JlkvsUzNiEWIsXb0VLXMnQJDYA+qGQCK/G+aJ+85v53BSgHK9qqAjkrqvGntYLWfv7n7 NYcQ== MIME-Version: 1.0 X-Received: by 10.50.109.132 with SMTP id hs4mr14368977igb.34.1391463945018; Mon, 03 Feb 2014 13:45:45 -0800 (PST) Received: by 10.50.29.140 with HTTP; Mon, 3 Feb 2014 13:45:44 -0800 (PST) In-Reply-To: References: <344075933.20140203143339@figureone.com> Date: Mon, 3 Feb 2014 16:45:44 -0500 Message-ID: To: "internals@lists.php.net" Cc: swhitemanlistens-software@cypressintegrated.com Content-Type: multipart/alternative; boundary=089e013a1d9029232004f1877207 Subject: Re: [PHP-DEV] Re: Windows Peer Verification From: rdlowrey@gmail.com (Daniel Lowrey) --089e013a1d9029232004f1877207 Content-Type: text/plain; charset=ISO-8859-1 > PHP users may now need to have write access to PHP.INI in > order to not get logs filled with security warnings, for thesame > code that previously did not issue a warning. To avoid any confusion, note that the above statement is incorrect. ini_set('openssl.cafile', 'C:\omg\this\is\too\hard.pem'); Source: https://github.com/php/php-src/blob/PHP-5.6/ext/openssl/openssl.c#L1078 Manual entry on where INI directives may be changed: http://www.php.net/manual/en/configuration.changes.modes.php > Or else they need to change all outbound stream > code, which in many cases isn't even theirs to safely change. Then I'm using a garbage library and need to migrate *immediately*. The maintainers don't know the first thing about security and they're putting all of my data at risk. Thank goodness for these warning to alert me that I'm doing something seriously wrong. I definitely didn't know that and I don't want to be left holding the bag when I compromise all my users' personal and sensitive information. Now I can fix it. This is the entire point of warnings: to tell you you're doing something wrong. Suggesting this is somehow harmful is seriously negligent. Let's not pretend like the doctor setting a cast on a broken arm is the problem; the broken arm is the problem. --089e013a1d9029232004f1877207--