fredagen den 6 juni 2003 15.03 skrev Jean-Michel Dault: > Le ven 06/06/2003 à 03:59, Oden Eriksson a écrit : > > > > +disable_functions = phpinfo > > > > > > - anyone using phpinfo() and making it publically accessible is insane > > Amen ;-) > > > > Of course, people dislike it when I introduce or suggest better > > > security measures, so I suspect the consensus from people will be to > > > leave well enough alone. > > Amen ;-) > > > I forgot to forward this to J-M, I think it's his call after all. > > My opinion is we shouldn't be "more catholic than the pope". > > As Dan Scott wrote, > "* disabling phpinfo() and dealing with people complaining that PHP > doesn't work on Mandrake, because phpinfo() is a standard PHP function > documented at php.net and within numerous books, tutorials, articles" > > This is very important to me. If someone uses the phpinfo() command and > it doesn't work, they'll think that Mandrake doesn't work, and this is > bad for us. > > If and when phpinfo is disabled by the PHP group, with a clean CVS > commit, and with the benediction of Rasmus, I'll gladly conform and > apply the changes to our packages. > > In the meantime, I suggest we leave this function alone.
Hmmm..., would it be possible to disable it globally and enable in for 127.0.0.1 only? Make it work only in CLI mode? One of the goals to be "innovative" for the next Mandrake release could be to lock down as much as possible from start. Kind of when Vincent disabled root logins in openssh, I liked that even though it break stuff and make some people pissed;) My earliest apache2 packages comes to my mind too, it really made people pissed when everyting was monster splitted and not even mod_dir was installed per default;) Well. It's just an idea as good as any. -- Regards // Oden Eriksson, Deserve-IT.com
