Time to turn it off in php.ini-dist in addition to php.ini-recommended? > -----Original Message----- > From: Ilia Alshanetsky [mailto:[EMAIL PROTECTED] On Behalf Of > Ilia Alshanetsky > Sent: Friday, December 15, 2006 4:04 PM > To: Stanislav Malyshev > Cc: PHP internals > Subject: Re: [PHP-DEV] Run-time taint support proposal > > > On 15-Dec-06, at 7:01 PM, Stanislav Malyshev wrote: > > >> the harm. One simple exploit leading to information > disclosure is to > >> pass it an array() causing the function to generate an > error exposing > >> the script's path. > > > > You mean when running with display_errors = on? Ouch. > > Something that most servers do (almost 80% by recent stats). > http://www.nexen.net/images/stories/phpinfos/display_errors.png > > Ilia Alshanetsky > > -- > PHP Internals - PHP Runtime Development Mailing List To > unsubscribe, visit: http://www.php.net/unsub.php >
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
