[PHP-DEV] PHP 4.0 Bug #8391 Updated: as Apache module, PHP errors should not reveal absolute file paths From: jmoore <email protected>
Date: 12/23/00

ID: 8391
Updated by: jmoore
Reported By: madizen <email protected>
Old-Status: Open
Status: Closed
Bug Type: Feature/Change Request
Assigned To:
Comments:

On prduction sites error reporting should be set so that
display_errors = off in your php.ini to keep this information secret.

James

Previous Comments:
---------------------------------------------------------------------------

[2000-12-23 19:46:51] madizen <email protected>
When PHP is installed as an Apache module (using Apache and PHP port installers from FreeBSD), and a script contains syntax errors or encounters problems while in use (e.g. unable to open a file with fopen), errors are reported to the browser window which reveal the absolute file path to the script rather than the relative path known by Apache, e.g. /private/database/area/php/script.php instead of /php/script.php, assuming the Apache root document directory is /private/database/area/. In several other instances, similar problems with web products (IIS, et. al.) revealing the absolute paths to their virtual environments have been labeled "bugs" or "security leaks". Please consider whether the absolute path can/should be masked whenever discretion can be obtained. I apologize if this is a configurable behavior and I just can't find the toggle, but perhaps discretion should be the default behavior if such a toggle exists. Thank you for your consideration.

---------------------------------------------------------------------------

Full Bug description available at: http://bugs.php.net/?id=8391 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>