ID: 21218 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Feature/Change Request Operating System: Red Hat Linux 7.3 PHP Version: 4.3.0 New Comment:
On a related note fwiw, even if E is removed from the variables_order directive (so that $_ENV will not exist), one can still use getenv() to access the variables. Previous Comments: ------------------------------------------------------------------------ [2002-12-27 13:55:14] [EMAIL PROTECTED] Currently, safe_mode_protected_env_vars can be set to disallow setting of specific environment variables. I propose an option to set a list of environment variables (possibly with wildcards, such as SUDO_*) that are completely hidden from PHP pages, and do not show up in phpinfo() (Since you can disable environment variables, but to hide _ENV globals, you would have to disable variable listing completely, which is not always good enough). Showing certain environment settings are a huge security risk, such as SUDO_UID and SUDO_USER if apache was started using sudo, as well as PWD, PATH, SSH_CONNECTION, etc. Disabling phpinfo() is not always a possibility, since it gives a lot of useful information to users. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=21218&edit=1
