|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-10-20 20:49 UTC] stas@php.net
-Type: Security
+Type: Feature/Change Request
[2016-10-20 20:49 UTC] stas@php.net
[2016-10-29 15:46 UTC] nikic@php.net
-Status: Open
+Status: Not a bug
[2016-10-29 15:46 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Nov 03 03:00:01 2025 UTC |
Description: ------------ In a system with all error message unactivated for security reason (I.E Production server), it remains possible to reactivate the error messages for a malicious user having the ability to execute code although functions error_reporting()/ini_set() be disabled, with the set_error_handler() is used. Test script: --------------- <?php echo phpversion(); echo "<br />"; function myErrorHandler($errno, $errstr, $errfile, $errline) { var_dump($errno); var_dump($errstr); var_dump($errfile); var_dump($errline); return true; } $old_error_handler = set_error_handler("myErrorHandler"); lolel;