Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:85930
Return-Path: <danack@basereality.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76574 invoked from network); 23 Apr 2015 15:11:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Apr 2015 15:11:07 -0000
Authentication-Results: pb1.pair.com header.from=danack@basereality.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=danack@basereality.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain basereality.com from 209.85.217.174 cause and error)
X-PHP-List-Original-Sender: danack@basereality.com
X-Host-Fingerprint: 209.85.217.174 mail-lb0-f174.google.com  
Received: from [209.85.217.174] ([209.85.217.174:36624] helo=mail-lb0-f174.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A7/90-35080-A8B09355 for <internals@lists.php.net>; Thu, 23 Apr 2015 11:11:07 -0400
Received: by lbbqq2 with SMTP id qq2so15530652lbb.3
        for <internals@lists.php.net>; Thu, 23 Apr 2015 08:11:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=xaZBds2RaBPUcQywH8Q6Bv7oVnWzAmkDttBlRLOyzmw=;
        b=C6i42xYZbSaY9j4XohO7ek1O3N+d0U1GtLWH78D8ZOEJTLjYmj/vyH3plXJN23jp0w
         +XNCqxriLUFAeoVeRE/BwCyDgRyrTdvufcMBb4wigmV2Yhc+XYhtjndZNc94kEa6nw0U
         CggWB+5/PwY4SkeAlkEwfKYDd290LqPTZ2inYRTBswOEWFlNlx5KkdrwmazYXRZxi/uL
         1+BlXYKDovCHgGzHo/Exkasgi6epnG8bk080rK2Tqy6ifTu5+xGXTXGriocMMfGQXQDJ
         ErmofegJX2Nx8/uBdS7DDHgFVFPTBOrXT4EwzjUuTY9ZqZHI+Hy/S/VXa2rpJVau9JuM
         vuqA==
X-Gm-Message-State: ALoCoQkfVl1GF9cR3VOEMS3QrYsO9laVjOcd8pFYn8qnnaVDwVM4Y2wBR1rglOYzWd5xpszS1qFE
MIME-Version: 1.0
X-Received: by 10.152.23.38 with SMTP id j6mr2745345laf.47.1429801862853; Thu,
 23 Apr 2015 08:11:02 -0700 (PDT)
Received: by 10.25.162.146 with HTTP; Thu, 23 Apr 2015 08:11:02 -0700 (PDT)
X-Originating-IP: [2.98.212.201]
In-Reply-To: <5538E1EE.6010201@rochette.cc>
References: <5538E1EE.6010201@rochette.cc>
Date: Thu, 23 Apr 2015 15:11:02 +0000
Message-ID: <CA+kxMuR7Bj1SPgk-j49KDGDaP=c=gPfTGAEG2Y2+MK+qcfgB9w@mail.gmail.com>
To: Mathieu Rochette <mathieu@rochette.cc>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] clear_env default in php-fpm
From: danack@basereality.com (Dan Ackroyd)

On 23 April 2015 at 12:13, Mathieu Rochette <mathieu@rochette.cc> wrote:

> I didn't find much information about this change (even finding about
> |clear_env| is not that easy when search for "php fpm env var") so I don't
> know if there is others reason than BC.

It looks like it wasn't discussed that much. The PR has a brief conversation:
https://github.com/php/php-src/pull/598


> What do you think about changing the default to
> |clear_env = no| ?


For 'Container like' hosting where the application being deployed is
owned by the company doing the deploying, and all the configuration is
done automatically and no humans ever touch the machine, having
'clear_env' default to 'no' would make sense.

For, shared hosting and other places where the application being
deployed might not be owned by the same people that control the
server, having 'clear_env' default to 'no' sounds like a security
problem, as it would allow the potential for people to modify the env
settings, which they can't currently do.

Wouldn't it make more sense just to ask Heroku (or whichever container
provider someone is using) to change the setting in the version of PHP
that they provide. For the general release of PHP, unless someone can
demonstrate how it wouldn't be a security problem, continuing to
default to the current secure setting sounds sensible to me.

cheers
Dan