Edit report at http://bugs.php.net/bug.php?id=54114&edit=1
ID: 54114 Comment by: neweracracker at gmail dot com Reported by: danhstevens at gmail dot com Summary: Output Buffer Dumps Data On Error Status: Open Type: Bug Package: Output Control Operating System: all PHP Version: 5.3.5 Block user comment: N Private report: N New Comment: I've managed to reproduce this in Windows 7 running php 5.2.17 (with php.ini-dist) and php 5.3.5 (with php.ini-development). Here is my test script: <?php set_time_limit(1); ob_start(); echo "You shouldn't see this!"; sleep(2); //comment this and you won't see the line above in output ;) ob_end_clean(); ?> I've reported this as bug #54174 which got closed due being a dupe of this one so I am leaving this comment here for reference purposes. Regards, NewEraCracker. Previous Comments: ------------------------------------------------------------------------ [2011-02-28 21:40:36] danhstevens at gmail dot com Hi Rasmus, I was still able to create the problem by calling on a non-existing class to create a fatal error. Here is a variation of your code: function eh($errno, $errstr, $errfile, $errline) { $contents = ob_get_contents(); ob_end_clean(); echo "Error: $errno, $errstr, $errfile, $errline\n"; } set_error_handler('eh'); ob_start(); echo 123; nonExistantClass::nonExistantMethod(); echo "After error\n"; Output is: 123 Fatal error: Class 'nonExistantClass' not found in ... Hopefully the above should more accurately illustrate the issue. ------------------------------------------------------------------------ [2011-02-28 19:37:32] ras...@php.net I am unable to reproduce this. My test script: <?php function eh($errno, $errstr, $errfile, $errline) { $contents = ob_get_contents(); ob_end_clean(); echo "Error: $errno, $errstr, $errfile, $errline\n"; } set_error_handler('eh'); ob_start(); echo 123; trigger_error('test error', E_USER_ERROR); echo "After error\n"; And my output is: Error: 256, test error, /var/www/testing/o.php, 10 After error No sign of "123" there. ------------------------------------------------------------------------ [2011-02-28 07:43:46] danhstevens at gmail dot com Description: ------------ When output buffering is turned on (via ob_start()) and an error is encountered before a call to ob_end_* is called the entire contents of the output buffer is dumped (to STDOUT) and there appears to be no way to prevent the buffer from dumping - not even by setting an error handler, etc. This is a security issue since the output buffer may contain sensitive information that is them dumped over to the user. Using set_error_handler does not stop the dump - it appears the dump simply happens with no way to intercept or prevent it. Test script: --------------- <?php ob_start(); echo 123; trigger_error('test error', E_USER_ERROR); $contents = ob_get_contents(); ob_end_clean(); ?> Expected result: ---------------- (no output) Actual result: -------------- 123 Fatal error: test error in ... ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=54114&edit=1