the wrong permissions. Why does apache not server the 403 on the php page? Maybe this is better off in the apache list.
Yeah, this is really better on an Apache list... but... http://httpd.apache.org/docs/mod/core.html#errordocument
No, it has nothing to do with Apache. Apache doesn't open the file, PHP does. You could argue that PHP should try to throw a 403 on a permissions error, but the problem is that it is really too late in the game to do so once we get to the content handler phase where PHP lives.
It could be hacked to do it a number of ways, but it wouldn't be pretty and it wouldn't be very consistent either since we would have to only do it if no output has been sent on the request yet. So a sub-request or an auto-prepend would both change the behaviour.
Turning off display_errors really is the answer to the particular security concern raised here.
-Rasmus
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
