Re: [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting

From: Date: Thu, 10 Apr 2025 18:53:24 +0000
Subject: Re: [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hey,

On 10.4.2025 17:19:57, Tim Düsterhus wrote:

Hi

Am 2025-04-09 04:00, schrieb Andrew Lyons:

The intent of this change is to make PHP installations safer by default and
prevent the accidental release of sensitive information in stack traces.

* RFC: https://wiki.php.net/rfc/exception_ignore_args_default_value
* Implementation: https://github.com/php/php-src/pull/18215


As I had said on GitHub before, but to put it onto the list for visibility:

I'd rather see the value in php.ini-production being changed to Off to match the built-in default. see https://github.com/php/php-src/pull/18215#issuecomment-2768618516



Full agreement with Tim here - make PHP friendly to development.

There are only few places where secrets would be actually relevant, and those can be covered by #[SensitiveParameter].


I've been quite annoyed a few times - I install PHP, promptly all args missing in my logs. Not a great experience for me to then first have to toggle it.


Also, it's something which you need to be even aware of - newcomers to PHP would see the stacktraces not containing arguments and not even know that they could enable them.


@Tim: You have my full support to propose a counterproposal here.


Bob

Thread (12 messages)

« previous php.internals (#127088) next »