There are so many good reasons to turn off display_error during production use, one of which is to not have a broken page due to errors appearing all over the place which even the laziest PHP developer who only cares about "stuff working" would appreciate.
That it also leaks important internal information is another side-effect which generally isn't as appreciated though.
Also the article is showing this code:
// Undefined function
echo "the root password for this machine is: pAsswoRd";
Or someone can send you a URL that points to your dev server and contains a payload. Or someone can send a URL to the developer across the street who uses shared hosting where display_errors is enabled by default.
I'm not arguing that this is a feasible attack to pull off against most applications: it most certainly is not. I'm arguing that it shouldn't be possible to pull it off at all, even in the small percentage of applications that might be affected. There is no good reason PHP should be displaying this information unsanitized.
You're 100% correct about the example you're pointing out. If you're allowing arbitrary functions called from the user, you're in much bigger trouble. ;-)
I originally noticed and reported the issue with the first example, which triggers a simple, common undefined index notice:
$array = array();
That is theoretically possible, though what they would be able to do is to deal damage to my development install (if I don't to CSRF protection on POST operations) or they could potentially hijack my current session on my development system, which, too I don't deem too critical.
> who uses shared hosting where display_errors is enabled by default
> There is no good reason PHP should be displaying this information unsanitized.
I agree, especially because they already do some escaping of their own errors (and consequently don't escape while running in the CLI SAPI)
For those of you working with WordPress, this is the code you need in wp-config.php to log errors but not show them in web pages:
From the PHP docs :
This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet).
So could PHP perhaps HTML encode error messages? Would this break any error message use cases? For example are there times when error messages appear when they wouldn't be interpreted as HTML encoded? CLI? Browsers loading different text mime types?
This is something PHP already gets right with warnings, fatal errors, etc. The issue is only with notices as far as I've seen (I haven't delved into the PHP source to see what the difference is).
A demonstration file:
[cmd]$ cat 147b9119e818c92f7f74bad71cc12255.php
[cmd]$ php -f 147b9119e818c92f7f74bad71cc12255.php
Warning: file_get_contents(<s>test</s>): failed to open stream: No such file or directory in /home/nbsandbox/sandboxing.me/poc/147b9119e818c92f7f74bad71cc12255.php on line 2
<b>Warning</b>: file_get_contents(<s>test</s>) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in <b>/home/nbsandbox/sandboxing.me/poc/147b9119e818c92f7f74bad71cc12255.php</b> on line <b>2</b><br />
I wrote up a response which contains more acceptable conclusions/fixes to the issues you present.
Never trust the user.
Don't do stupid shit.