Php – Disable PHP stack traces in Apache logs

apache-2.4PHPSecurity

I've run across an in-house PHP application which occasionally crashes during user authentication and dumps a stacktrace into /var/log/apache2/. Problem is it logs the username and pass in cleartext.

PHP Fatal error...Stack trace:...ldapauthenticated('bobuser', 'secrit123')...

I've run across a few mentions on various stack* forums about disabling the stack traces in .htaccess or with a line of code in the PHP app itself however there seem to be varying degrees of success with these methods and I'd rather just disable the lot of it site-wide instead of editing a jazillion PHP code files.

I thought I'd poke around in /etc/php/ for an obvious setting somehow but there are myriad files and several directories there (7.0/ir, 7.0/cli, 7.0/cli/conf.d, 7.0/apache2/conf.d/,...) and no idea which file takes precedence over the other. I did find a log_errors setting which looked promising in 7.0/apache2/php.ini however the comment there says the default is off. Obviously either not working or the wrong config item.

Anyone know of a way to disable PHP stacktraces site wide?

Best Answer

try

zend.exception_ignore_args = On

in /etc/php/7.0/apache2/php.ini

Related Solutions

Php servers without apache/nginx/cgi stack

In a word, history. This is a very abbreviated summary of 15+ years of history (you can find out more on the Internet, if you are really interested):

First, while PHP has all the features of a programming language, this wasn't always so. It started out as a "hypertext preprocessor" whose purpose was to be embedded in HTML pages and parsed by a CGI program or the web server itself. It was meant to be run by an existing web server, not to be a web server. In its early iterations it was a very simple language (and some would say it still is).

PHP dates back to the late 1990s, and the only way for a web server to run dynamic content back then was through CGI. CGI's big problem, though, was that it was rather slow, because it forked a new process for every request. Not a big deal in the early days, but when the dot-com boom hit, it became something of an issue. PHP became popular enough that it was embedded into Apache as a loadable module, which gave better performance than CGI and offered some other benefits.

For the longest time, PHP was only runnable in one of those two ways, but since it had become the language with the vast majority of market share, nobody really cared much. Though eventually some people wanted to use servers other than Apache, and for a while CGI was the only way to do that, until a FastCGI server API known as php-fpm (FastCGI Process Manager) was eventually contributed into PHP. Unlike CGI, FastCGI keeps a pool of processes always running and ready to serve incoming requests.

In the 2000s came other languages, which do things differently. For instance, in Ruby application libraries are shipped in what are called gems, and a program can easily be created simply by gluing together some existing gems with business logic. Rack is a Ruby gem which provides a Ruby API for building web servers, and servers such as mongrel, unicorn, thin, etc., and frameworks such as Rails and Sinatra, are built on top of it.

Other languages such as Python and Java have similar web servers and web server frameworks. As you can see this is a completely different approach from the one taken by PHP, which generally doesn't use HTTP at all to serve requests.

However, recent versions of PHP now have a "built in web server", but it is relatively new and can only handle one connection at a time, making it unsuitable for production use. It's explicitly designed for developer use.

Ultimately it comes down to this: PHP was designed to work in the context of an existing HTML document, while other languages such as Python, Ruby, Java, etc., are general-purpose. The only other web language I know of which works like PHP in this respect is Microsoft's "classic" ASP, which has a similar design.

Php – How to disable PHP mail function on one apache virtualhost

I added this to my virtual host:

<Directory /dir/to/your/web/root>
...
        php_admin_value sendmail_path "tee mail.out > /dev/null"
...
    </Directory>

It worked!

Related Topic