Change default setting for zend.exception_ignore_args

[andrewnicols]

The default setting for zend.exception_ignore_args (On) should be the safest setting rather than the setting more convenient to developers (Off).

This setting was introduced in PHP 7.4 to hide arguments passed into methods which cause a stacktrace to be displayed.

It is not well documented in the PHP documentation and many people are unaware of its purpose. Whilst it is not a perfect solution, where a production site does display a stack trace it would be best to do so without all args being dispalyed.

In this case I feel that PHP should fail safe and require that developers actively disable this setting when they do want args (either in php.ini, or through ini_set() calls).

Happy to raise this as an RFC if this is required -- I'm uncertain whether this change requires one from reading the RFC documentation.

---

RFC: https://wiki.php.net/rfc/exception_ignore_args_default_value

[andrewnicols]

Re failing unit tests, is it better to:

• explicitly set the zend ini on those tests;
• change the test expectations in these tests; or
• change the default configuration somehow for unit tests to set this?

[andrewnicols]

I've gone through the failing tests and addressed these by reverting one set of test changes I made (they were run with a explicit value to the ini setting already), and updating the expected output for the remaining failing test to remove the args from the stacktrace.

[TimWolla]

As per https://chat.stackoverflow.com/transcript/message/57868601#57868601 (see also previous and next day for further context), I'd rather see the value in php.ini-production changed to Off:

php-src/php.ini-production

Line 384 in 13e0fb9

zend.exception_ignore_args = On

/cc @bwoebi

[andrewnicols]

As per https://chat.stackoverflow.com/transcript/message/57868601#57868601 (see also previous and next day for further context), I'd rather see the value in php.ini-production changed to Off:

I'm not sure I follow... you'd rather than we reveal exception args in production?

I'd rather disable them in development too if the desire is to keep dev and production configurations as close as possible.

The SensitiveParameter attribute is no good in this instance. It only works if you configure it on parameters up and down the stack, and the moment you use anything like dependency injection it becomes very difficult (maybe impossible) to mask those params.

[TimWolla]

you'd rather than we reveal exception args in production?

Yes. Though reveal is not the correct word. I don't want to reveal them to the user, but I want them in my error logs.

Whilst it is not a perfect solution, where a production site does display a stack trace it would be best to do so without all args being dispalyed.

The correct solution here would be display_errors = Off or properly configuring your framework’s error handler.