On Wed, Jan 4, 2012 at 8:37 PM, Stas Malyshev <smalys...@sugarcrm.com>wrote:
> Hi! > > > Could you please elaborate on that part - where is the disclosure >> and what exactly is being disclosed? >> >> >> I would guess that the value of that said limit. (it is the only >> variable in the error message). >> > > This is an error message, it's not visible to anybody. Even if it were, I > don't see a problem with it. Usually people mean different thing by > information disclosure, but without proper report of course it is > meaningless to talk about it. /* do not output the error message to the screen, this helps us to to avoid "information disclosure" */ I don't think that it is a high importance, but with display_errors enabled, it does leak otherwise unobtainable (if you don't have publicly available phpinfo files, which most person with enabled display_errors does) info. So while I don't feel strongly about it, I wanted to mention it. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
