> PHP users may now need to have write access to PHP.INI in
> order to not get logs filled with security warnings, for thesame
> code that previously did not issue a warning.
To avoid any confusion, note that the above statement is incorrect.
ini_set('openssl.cafile', 'C:\omg\this\is\too\hard.pem');
Source:
https://github.com/php/php-src/blob/PHP-5.6/ext/openssl/openssl.c#L1078
Manual entry on where INI directives may be changed:
http://www.php.net/manual/en/configuration.changes.modes.php
> Or else they need to change all outbound stream
> code, which in many cases isn't even theirs to safely change.
Then I'm using a garbage library and need to migrate *immediately*. The
maintainers don't know the first thing about security and they're putting
all of my data at risk. Thank goodness for these warning to alert me that
I'm doing something seriously wrong. I definitely didn't know that and I
don't want to be left holding the bag when I compromise all my users'
personal and sensitive information. Now I can fix it.
This is the entire point of warnings: to tell you you're doing something
wrong. Suggesting this is somehow harmful is seriously negligent. Let's not
pretend like the doctor setting a cast on a broken arm is the problem; the
broken arm is the problem.