Hello,
A |clear_env |settings had been added in php 5.4 with default |clear_env
= yes| to avoid BC I imagine. With service such as heroku or with
docker, and followinf the 12 factor principles, configuration from other
services are defined with env vars. What do you think about changing the
default to |clear_env = no| ? It would also match the behavior of using
php with apache mod. Is it possible for 7.0 ? I don't know if it's too
late for this kind of change but I guess that if it's not for 7.0 it
would have to wait for 8.0 isn't it ?
I didn't find much information about this change (even finding about
|clear_env| is not that easy when search for "php fpm env var") so I
don't know if there is others reason than BC.
thank you
--
Mathieu Rochette
I didn't find much information about this change (even finding about
|clear_env| is not that easy when search for "php fpm env var") so I don't
know if there is others reason than BC.
It looks like it wasn't discussed that much. The PR has a brief conversation:
https://github.com/php/php-src/pull/598
What do you think about changing the default to
|clear_env = no| ?
For 'Container like' hosting where the application being deployed is
owned by the company doing the deploying, and all the configuration is
done automatically and no humans ever touch the machine, having
'clear_env' default to 'no' would make sense.
For, shared hosting and other places where the application being
deployed might not be owned by the same people that control the
server, having 'clear_env' default to 'no' sounds like a security
problem, as it would allow the potential for people to modify the env
settings, which they can't currently do.
Wouldn't it make more sense just to ask Heroku (or whichever container
provider someone is using) to change the setting in the version of PHP
that they provide. For the general release of PHP, unless someone can
demonstrate how it wouldn't be a security problem, continuing to
default to the current secure setting sounds sensible to me.
cheers
Dan
I didn't find much information about this change (even finding about
|clear_env| is not that easy when search for "php fpm env var") so I don't
know if there is others reason than BC.
It looks like it wasn't discussed that much. The PR has a brief conversation:
https://github.com/php/php-src/pull/598What do you think about changing the default to
|clear_env = no| ?For 'Container like' hosting where the application being deployed is
owned by the company doing the deploying, and all the configuration is
done automatically and no humans ever touch the machine, having
'clear_env' default to 'no' would make sense.For, shared hosting and other places where the application being
deployed might not be owned by the same people that control the
server, having 'clear_env' default to 'no' sounds like a security
problem, as it would allow the potential for people to modify the env
settings, which they can't currently do.
What do you mean? As I understand it, clear_env = no, would give users
read access to env variables, not the ability to modify it. am I wrong?Wouldn't it make more sense just to ask Heroku (or whichever container
provider someone is using) to change the setting in the version of PHP
that they provide. For the general release of PHP, unless someone can
demonstrate how it wouldn't be a security problem, continuing to
default to the current secure setting sounds sensible to me.
I'm not a security expert so I don't know how it could be proven. the
best argument I have is that apache php mod does not AFAIK clears env
and everything seems finecheers
Dan
thank you for your reply,
--
Mathieu Rochette
fwiw, the default has just been changed on the "official" php docker
image : https://github.com/docker-library/php/pull/93
I still think it should be the default so that it would just work for
any heroku like hosting or user made php docker containers
knowing that it's the default behavior with apache mod_php, anyone can
think about security issues that could cause ?
I didn't find much information about this change (even finding about
|clear_env| is not that easy when search for "php fpm env var") so I
don't
know if there is others reason than BC.
It looks like it wasn't discussed that much. The PR has a brief
conversation:
https://github.com/php/php-src/pull/598What do you think about changing the default to
|clear_env = no| ?For 'Container like' hosting where the application being deployed is
owned by the company doing the deploying, and all the configuration is
done automatically and no humans ever touch the machine, having
'clear_env' default to 'no' would make sense.For, shared hosting and other places where the application being
deployed might not be owned by the same people that control the
server, having 'clear_env' default to 'no' sounds like a security
problem, as it would allow the potential for people to modify the env
settings, which they can't currently do.
What do you mean? As I understand it, clear_env = no, would give users
read access to env variables, not the ability to modify it. am I wrong?Wouldn't it make more sense just to ask Heroku (or whichever container
provider someone is using) to change the setting in the version of PHP
that they provide. For the general release of PHP, unless someone can
demonstrate how it wouldn't be a security problem, continuing to
default to the current secure setting sounds sensible to me.
I'm not a security expert so I don't know how it could be proven. the
best argument I have is that apache php mod does not AFAIK clears env
and everything seems finecheers
Dan
thank you for your reply,
--
Mathieu Rochette