On Wed, Jan 4, 2012 at 9:56 PM, Rasmus Lerdorf <ras...@lerdorf.com> wrote:
> On 01/04/2012 12:19 PM, Reindl Harald wrote: > > > > > > Am 04.01.2012 21:07, schrieb Paul Dragoonis: > > > >> I agree with Rasmus here. A lot of people keep display_errors > >> on, even when they shouldn't. > > > > it is not the job of a programming language stop admins from > > beeing stupid - the defaults have to be sane and this is > > display_error OFF, if somebody decides for whateever reason to turn > > it on it is not yours or anybody others decision to ignore the > > setting here, and there and there also but there not > > Yes, but display_errors is not off by default, that is the problem. If > we could get away with turning display_errors off by default, then I > agree that we don't need this. As it is currently, the default setup, > if people don't do anything, will result in a security problem because > of this. > > -Rasmus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > I just got the tip that this error is only shown if display_startup_errors is set to true, and because it is in the startup routine the file path in the error message (which is the real infoleak) would only point to "unknown 0". If somebody has the time to double check/test this, it would be nice. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
