On Dec 15, 2006, at 7:47 PM, Andi Gutmans wrote:
Time to turn it off in php.ini-dist in addition to php.ini-recommended?
Time to rename php.ini-dist and a php.ini-recommended to more clearly
represent specific usage profiles, like development and production?
Perhaps the production or "recommended" profile should be the default
php.ini installed?
-----Original Message-----
From: Ilia Alshanetsky [mailto:[EMAIL PROTECTED] On Behalf Of
Ilia Alshanetsky
Sent: Friday, December 15, 2006 4:04 PM
To: Stanislav Malyshev
Cc: PHP internals
Subject: Re: [PHP-DEV] Run-time taint support proposal
On 15-Dec-06, at 7:01 PM, Stanislav Malyshev wrote:
the harm. One simple exploit leading to information
disclosure is to
pass it an array() causing the function to generate an
error exposing
the script's path.
You mean when running with display_errors = on? Ouch.
Something that most servers do (almost 80% by recent stats).
http://www.nexen.net/images/stories/phpinfos/display_errors.png
Ilia Alshanetsky
--
PHP Internals - PHP Runtime Development Mailing List To
unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
