On Wed, 14 Aug 2019, 12:09 Reinis Rozitis, <r...@roze.lv> wrote: > > It is surprising how thing that is considered by one to be a security > risk, is treated > > as nothing relevant by others. This dichotomy is quite disturbing - in > what case > > removing security risk is "no real gain"? > > It's questionable that a misconfigured environment is a "security" risk > caused by language rather than ignorance of the administrator. > > On that matter you could ask why are all the exec/passthru/proc_open etc > functions/features are allowed by default while every other guide on > hardening web suggests those to be disabled (added to disable_functions)? > I would bet there have been a lot more (actual) security breaches because > of unsanitized/unescaped parameters to those. > > Just to repeat some other people - there are a lot other things to work on > than this. > > rr > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php
Appologies if these short tags are bumped so many times and cause so much issues but we are at the very starting discussions of PHP 8 also. Major version, where breaking thing was supposed to be possible. So that is one of the reasons why this and similar cleanups are mentioned in the first place. With closing the door to even talk and work on cleanups, or being ashamed of it, or bully others because they want to have a better structure with using PHP 8+, nothing good can come out of it. > > >
