Update advice, warnings about show_source() and friends.

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@39335 c90b9560-bf6c-de11-be94-00142212c4b1

chapters/security.xml

@@ -254,6 +254,22 @@ AddHandler php3-script .php3
   
   </sect1>
 
+  <sect1 id="security.current">
+   <title>Keeping Current</title>
+   <simpara>
+    PHP, like any other large system, is under constant scrutiny and
+    improvement. Each new version will often include both major and
+    minor changes to enhance and repair security flaws, configuration
+    mishaps, and other issues that will affect the overall security
+    and stability of your system.
+   </simpara>
+   <simpara>
+    Like other system-level scripting languages and programs, the best
+    approach is to update often, and maintain awareness of the latest
+    versions and their changes.
+   </simpara>
+  </sect1>
+
   <sect1 id="security.apache">
    <title>Installed as an Apache module</title>
    <simpara>
@@ -422,14 +438,18 @@ if (!ereg('^[^./][^/]*$', $userfile))
     developer who is trying to debug a script, indicating such things
     as the function or file that failed, the PHP file it failed in,
     and the line number which the failure occured in. This is all
-    information that can be exploited.
+    information that can be exploited.  It not uncommon for a php
+    developer to use show_source(), highlight_string(), or
+    highlight_file() as a debugging measure, but in a live site, this
+    can expose hidden variables, unchecked syntax, and other dangerous
+    information.
    </simpara>
    <simpara>
-    For example, the very style of error indicates a system is running
-    PHP. If the attacker was looking at an .html page, and wanted to
-    probe for the back-end (to look for known weaknesses in the system),
-    by feeding it the wrong data they may be able to determine that a
-    system was built with PHP.
+    For example, the very style of a generic error indicates a system
+    is running PHP. If the attacker was looking at an .html page, and
+    wanted to probe for the back-end (to look for known weaknesses in
+    the system), by feeding it the wrong data they may be able to
+    determine that a system was built with PHP.
    </simpara>
    <simpara>
     A function error can indicate whether a system may be running a
@@ -444,7 +464,9 @@ if (!ereg('^[^./][^/]*$', $userfile))
    <simpara>
     A filesystem or general PHP error can indicate what permissions
     the webserver has, as well as the structure and organization of
-    files on the web server.
+    files on the web server. Developer written error code can aggravate
+    this problem, leading to easy exploitation of formerly "hidden"
+    information.
    </simpara>
    <simpara>
     There are three major solutions to this issue. The first is to

security/index.xml

@@ -254,6 +254,22 @@ AddHandler php3-script .php3
   
   </sect1>
 
+  <sect1 id="security.current">
+   <title>Keeping Current</title>
+   <simpara>
+    PHP, like any other large system, is under constant scrutiny and
+    improvement. Each new version will often include both major and
+    minor changes to enhance and repair security flaws, configuration
+    mishaps, and other issues that will affect the overall security
+    and stability of your system.
+   </simpara>
+   <simpara>
+    Like other system-level scripting languages and programs, the best
+    approach is to update often, and maintain awareness of the latest
+    versions and their changes.
+   </simpara>
+  </sect1>
+
   <sect1 id="security.apache">
    <title>Installed as an Apache module</title>
    <simpara>
@@ -422,14 +438,18 @@ if (!ereg('^[^./][^/]*$', $userfile))
     developer who is trying to debug a script, indicating such things
     as the function or file that failed, the PHP file it failed in,
     and the line number which the failure occured in. This is all
-    information that can be exploited.
+    information that can be exploited.  It not uncommon for a php
+    developer to use show_source(), highlight_string(), or
+    highlight_file() as a debugging measure, but in a live site, this
+    can expose hidden variables, unchecked syntax, and other dangerous
+    information.
    </simpara>
    <simpara>
-    For example, the very style of error indicates a system is running
-    PHP. If the attacker was looking at an .html page, and wanted to
-    probe for the back-end (to look for known weaknesses in the system),
-    by feeding it the wrong data they may be able to determine that a
-    system was built with PHP.
+    For example, the very style of a generic error indicates a system
+    is running PHP. If the attacker was looking at an .html page, and
+    wanted to probe for the back-end (to look for known weaknesses in
+    the system), by feeding it the wrong data they may be able to
+    determine that a system was built with PHP.
    </simpara>
    <simpara>
     A function error can indicate whether a system may be running a
@@ -444,7 +464,9 @@ if (!ereg('^[^./][^/]*$', $userfile))
    <simpara>
     A filesystem or general PHP error can indicate what permissions
     the webserver has, as well as the structure and organization of
-    files on the web server.
+    files on the web server. Developer written error code can aggravate
+    this problem, leading to easy exploitation of formerly "hidden"
+    information.
    </simpara>
    <simpara>
     There are three major solutions to this issue. The first is to