From: [EMAIL PROTECTED] Operating system: Red Hat Linux 7.3 PHP version: 4.3.0 PHP Bug Type: Feature/Change Request Bug description: should be able to set a list of hidden environment vars
Currently, safe_mode_protected_env_vars can be set to disallow setting of specific environment variables. I propose an option to set a list of environment variables (possibly with wildcards, such as SUDO_*) that are completely hidden from PHP pages, and do not show up in phpinfo() (Since you can disable environment variables, but to hide _ENV globals, you would have to disable variable listing completely, which is not always good enough). Showing certain environment settings are a huge security risk, such as SUDO_UID and SUDO_USER if apache was started using sudo, as well as PWD, PATH, SSH_CONNECTION, etc. Disabling phpinfo() is not always a possibility, since it gives a lot of useful information to users. -- Edit bug report at http://bugs.php.net/?id=21218&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=21218&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=21218&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=21218&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=21218&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=21218&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=21218&r=support Expected behavior: http://bugs.php.net/fix.php?id=21218&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=21218&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=21218&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=21218&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=21218&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=21218&r=dst IIS Stability: http://bugs.php.net/fix.php?id=21218&r=isapi
