David Johnson wrote:
The policy document looks great and carefully thought out. We have not finished our package development and released it yet, so we're not certain. One question is in regards to PHP configuration. For example our application requires "register_global" to be turned on in PHP (which has sufficient security structure in place where this is not a problem for us). What approach should we take here?
I'd suggest probably: php_value register_globals = "On"in the apache virtualhost config, because the last thing that wants to happen is for security issues with other apps to be created/exposed by a global change to php.ini.