At 16:13 8/17/2001, Zeev Suraski wrote the following:
--------------------------------------------------------------
>At 17:05 17-08-01, Cynic wrote:
>>I'd do this:
>>
>>4.0.7:
>>php.ini-standard basically today's php.ini-dist
>>php.ini-recommended basically today's php.ini-optimized
>> + the proposed security related changes
>> what this is exactly I don't know. perhaps
>> only register_globals off
>
>This already exists today (except -standard is still called -dist, as there's no real
>reason to change it). We may try to encourage people to read php.ini-recommended at
>the and of the build process, because I fear nobody's looking at it today.
>
>>4.1.0:
>>php.ini-standard php.ini-recommended as contained in 4.0.7
>> + anything else you think should be there
>> (it can be more "strict" than 4.0.7's rec.)
>>php.ini-compat php.ini-standard as contained in 4.0.7
>
>I'm not sure that we can just move to do -recommended version, 4.1.0 or not. The
>nature of recommendations is that some people accept them, and some do not :) None
>of the things in the php.ini-recommended file is a clear-cut must-have, and some
>people will prefer doing without them. We'll have to think about each change
>separately.
>
>Remember that we only use the version change to catch people's attention. It doesn't
>mean that we can suddenly make PHP much more 'hostile' :)
But it's a nice opportunity to do so. BTW, I consider a site hacked
"thanks to" default settings that promote poor coding more hostile
in the end. :)
>>And while I'm at it: can the Powers That Be consider switching the
>>default setting for display_startup_errors to On in either of the
>>ini files? I believe (my experience indicates it) that this would
>>help to lower the confusion in some cases quite a bit: a message
>>instead of just a 500 can change one's day.
>
>There's a good reason for this default setting. A clear message will not only change
>your day, but also the guy who's trying to hack your site's day :) For example, with
>display_startup_errors set to on, a request can be easily made that will expose the
>full path of any scripts on your site.
>It may make good sense to set it on in the -recommended version, as it's safe in
>conjunction with display_errors=0 and log_errors=1.
This doesn't hold water. display_errors is on in php.ini-dist anyways,
so what do you gain by display_startup_errors off? NB you can use
custom error handler that won't display full physical paths, so WTF?
BTW, what is the possibility of introducing new functionality to the
default error handler, where the file paths aren't physical paths by
default, but URIs? I. e. with DOCUMENT_ROOT in /var/www/, instead of
"E_WARNING: blabla in /var/www/foo/bar.php on line xxx"
display
"E_WARNING: blabla in /foo/bar.php on line xxx"
??
(There are some issues with this I can foresee even as I type this,
but those could be hopefully figured out.)
And provide display_full_path_in_errors ini setting, or sumthin.
BTW, Zeev, could you please break your lines somewhere reasonable?
It's quite unpleasant to read those loooooooooong lines. :) THX.
[EMAIL PROTECTED]
-------------
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
