Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:85933 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97165 invoked from network); 23 Apr 2015 20:07:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Apr 2015 20:07:38 -0000 Authentication-Results: pb1.pair.com header.from=mathieu@rochette.cc; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=mathieu@rochette.cc; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rochette.cc designates 195.154.14.121 as permitted sender) X-PHP-List-Original-Sender: mathieu@rochette.cc X-Host-Fingerprint: 195.154.14.121 texthtml.net Received: from [195.154.14.121] ([195.154.14.121:44159] helo=texthtml.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2A/50-28189-80159355 for ; Thu, 23 Apr 2015 16:07:37 -0400 Received: by texthtml.net (Postfix, from userid 99) id 5EB3D1019E8; Thu, 23 Apr 2015 22:02:10 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on texthtml.net X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from [192.168.1.69] (localhost [127.0.0.1]) by texthtml.net (Postfix) with ESMTPA id 186FA1019E5; Thu, 23 Apr 2015 22:02:08 +0200 (CEST) To: Dan Ackroyd references: <5538E1EE.6010201@rochette.cc> Cc: "internals@lists.php.net" Message-ID: <55395102.1080109@rochette.cc> Date: Thu, 23 Apr 2015 22:07:30 +0200 user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Thunderbird/39.0a2 mime-version: 1.0 in-reply-to: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] clear_env default in php-fpm From: mathieu@rochette.cc (Mathieu Rochette) References: <5538E1EE.6010201@rochette.cc> On 04/23/2015 05:11 PM, Dan Ackroyd wrote: > On 23 April 2015 at 12:13, Mathieu Rochette wrote: > >> I didn't find much information about this change (even finding about >> |clear_env| is not that easy when search for "php fpm env var") so I don't >> know if there is others reason than BC. > It looks like it wasn't discussed that much. The PR has a brief conversation: > https://github.com/php/php-src/pull/598 > > >> What do you think about changing the default to >> |clear_env = no| ? > > For 'Container like' hosting where the application being deployed is > owned by the company doing the deploying, and all the configuration is > done automatically and no humans ever touch the machine, having > 'clear_env' default to 'no' would make sense. > > For, shared hosting and other places where the application being > deployed might not be owned by the same people that control the > server, having 'clear_env' default to 'no' sounds like a security > problem, as it would allow the potential for people to modify the env > settings, which they can't currently do. What do you mean? As I understand it, clear_env = no, would give users read access to env variables, not the ability to modify it. am I wrong? > > Wouldn't it make more sense just to ask Heroku (or whichever container > provider someone is using) to change the setting in the version of PHP > that they provide. For the general release of PHP, unless someone can > demonstrate how it wouldn't be a security problem, continuing to > default to the current secure setting sounds sensible to me. I'm not a security expert so I don't know how it could be proven. the best argument I have is that apache php mod does not AFAIK clears env and everything seems fine > > cheers > Dan thank you for your reply, -- Mathieu Rochette