Post-1.0: use production server default for error messages #1124
Labels
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
wontfix
If you can reproduce this issue, please reopen the issue or create a new one describing it.
By default PHP error messages and printDebug() output are displayed to all users accessing the admin or widgets. This can provide server information to malicious users. A new option should be added to config.ini.php to disable all error output to the browser. Additionally it would be useful to set this option separately for admin and non-admin users.
Currently the only way to disable printDebug() is by setting
Instead of adding a new config value, another option would be to default PIWIK_TRACKER_DEBUG to false and only set it to true if an admin is logged in.
By default PHP error output is enabled with the display_errors option. The default should be to suppress PHP error output and only enable it for admin users.
The text was updated successfully, but these errors were encountered: