You seem to be ignoring the argument and clinging to a false assumption
that only people with open phpinfo()s have disable_errors enabled. I
guarantee you that is not the case for the most part.
Well, there's little we can do in that part except for educating users
and changing defaults. The problem is not unique to PHP of course - I
have seen JSP and ASP error messages on most sensitive sites with paths
etc. so many times. But that's entirely unrelated problem.
No solution can help a person who deliberately configures his server
wide open.
Accidentally leaving phpinfo(), is wide open? I suppose if I were to
If you consider exposing script file name a problem, on that scale
having phpinfo() available to google is wide open indeed.
demonstrate a vulnerability on zend.com it would imply Zend does not
care about security?
If you know of vulnerability on zend.com, please write to
[EMAIL PROTECTED], that would be only responsible course of action.
However, I do not see how having vulnerabilities imply not caring for
security.
You're not helping them, just making assumptions about how their code
should work and making them adhere to them.
Yes, and this is helping. Every language does that. Saying "you can't
make 100% work exactly as I wanted without any effort, so entire thing
isn't even worth discussing" is a road nowhere. There's a lot of places
it would be helpful, and there's a lot of places it won't - and that's ok.
--
Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED] http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
