Stephan Jorek
Stephan Jorek
@narfbg Without this patch there is no hint, that `function_exists()` returns `FALSE`, because suhosin forbid it. Even if you parse the suhosin configuration you cannot distinguish if the function to...
Can I convince you by changing the description of the two `exists_forbidden`-flags to: - ; When this configuration flag is turned on, the script will terminate, if ; function_exists() is...
Ack … :zzz:
I quickly googled, and found an exploit which would terminate earlier in a suhosin-setup having the `exists_forbidden` flags enabled and all kinds of socket-related functions blacklisted. This makes it harder...
- I'll never disclose error messages to an attacker by setting display_errors to On. So the attacker should not have any clue about what is going on. Everything else is...
I never expected such a strong opinion against the stop-on-function_exists()-detection feature, but absolutely respect @narfbg 's fears, but I don't share them … it has always been hard to find...
… I appreciate any feedback, especially which objections you have. And thanks for suhosin !
> … Of course the pull-reqeuests with POCs for that task and other are welcome. Here you are: #3501. It still lacks a POC, but it's a first step.
Dunno with thread you read first, so here is a [comment duplicate](https://github.com/nevir/groc/issues/114#issuecomment-24330320) to ease reading :smirk: > yep … and here we are: 1 big comment-block and 1 big code-block,...
If you decide to merge this, you could leave the issue and/or this request open, so we can discuss a solution for how to sync code and comments (= having...