On 01/04/2012 11:46 AM, Ferenc Kovacs wrote: > On Wed, Jan 4, 2012 at 8:37 PM, Stas Malyshev <smalys...@sugarcrm.com>wrote: > >> Hi! >> >> >> Could you please elaborate on that part - where is the disclosure >>> and what exactly is being disclosed? >>> >>> >>> I would guess that the value of that said limit. (it is the only >>> variable in the error message). >>> >> >> This is an error message, it's not visible to anybody. Even if it were, I >> don't see a problem with it. Usually people mean different thing by >> information disclosure, but without proper report of course it is >> meaningless to talk about it. > > > /* do not output the error message to the screen, > this helps us to to avoid "information disclosure" */ > > I don't think that it is a high importance, but with display_errors > enabled, it does leak otherwise unobtainable (if you don't have publicly > available phpinfo files, which most person with enabled display_errors > does) info. > > So while I don't feel strongly about it, I wanted to mention it.
Since it is one of these remotely-triggered errors that you can't program around, it should probably be suppressed when display_errors is on. There is another precedence for this, but I am drawing a blank on where else we did this right now. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
