Am 11.04.2014 21:15, schrieb Jeff Trawick: > On Fri, Apr 11, 2014 at 3:00 PM, Andre Nathan <andre...@gmail.com > <mailto:andre...@gmail.com>> wrote: > > On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener <cove...@gmail.com > <mailto:cove...@gmail.com>> wrote: > > Should have been more clear, I meant a per-request environment > variable from r->subprocess_env (SetEnvIf/SetEnv) not a native one > > > I have a working patch for this too, but this would allow a user to use > UnsetEnv in his .htaccess and override > the global behavior. Wouldn't it be best if this couldn't be changed via > .htaccess? > > Best, > Andre > > > If the user is motivated to do that, is it because PHP (for example) at the > user's disposal does not otherwise have > a way to obtain similar information, or PHP has a way to block any other ways > to find that?
simply list "getenv" in "disable_functions", put <?php $_SERVER['SERVER_ADDR']='';?> in a file listed in "auto_prepend_file" and you are done, no need to touch httpd for that and in case of security by obscurity allow to remove the "Server" header and hide what webserver you are running would have more benefit
signature.asc
Description: OpenPGP digital signature
