Hey,
On 10.4.2025 17:19:57, Tim Düsterhus wrote:
Hi
Am 2025-04-09 04:00, schrieb Andrew Lyons:
The intent of this change is to make PHP installations safer by
default and
prevent the accidental release of sensitive information in stack traces.
* RFC: https://wiki.php.net/rfc/exception_ignore_args_default_value
* Implementation: https://github.com/php/php-src/pull/18215
As I had said on GitHub before, but to put it onto the list for
visibility:
I'd rather see the value in `php.ini-production` being changed to
`Off` to match the built-in default. see
https://github.com/php/php-src/pull/18215#issuecomment-2768618516
Full agreement with Tim here - make PHP friendly to development.
There are only few places where secrets would be actually relevant, and
those can be covered by #[SensitiveParameter].
I've been quite annoyed a few times - I install PHP, promptly all args
missing in my logs. Not a great experience for me to then first have to
toggle it.
Also, it's something which you need to be even aware of - newcomers to
PHP would see the stacktraces not containing arguments and not even know
that they could enable them.
@Tim: You have my full support to propose a counterproposal here.
Bob
