Hello, On 12/16/06, Andi Gutmans <[EMAIL PROTECTED]> wrote:
Time to turn it off in php.ini-dist in addition to php.ini-recommended?
I think so, and to "fix" what Hannes suggested earlier this week (http://news.php.net/php.internals/26936). --Pierre ps: I shamelessly point you&co to my JIT/unicode post: http://news.php.net/php.internals/26965 :)
> -----Original Message----- > From: Ilia Alshanetsky [mailto:[EMAIL PROTECTED] On Behalf Of > Ilia Alshanetsky > Sent: Friday, December 15, 2006 4:04 PM > To: Stanislav Malyshev > Cc: PHP internals > Subject: Re: [PHP-DEV] Run-time taint support proposal > > > On 15-Dec-06, at 7:01 PM, Stanislav Malyshev wrote: > > >> the harm. One simple exploit leading to information > disclosure is to > >> pass it an array() causing the function to generate an > error exposing > >> the script's path. > > > > You mean when running with display_errors = on? Ouch. > > Something that most servers do (almost 80% by recent stats). > http://www.nexen.net/images/stories/phpinfos/display_errors.png > > Ilia Alshanetsky > > -- > PHP Internals - PHP Runtime Development Mailing List To > unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
