Here's a typical error message that can pop up, for authenticated and anonymous users alike, when Drupal chokes on something:
warning: array_map() [function.array-map]: Argument #2 should be an array in /home/your-directory/your-Drupal-installation/modules/system/system.module on line 1015.
My question isn't about the specific error message, but rather the general form.
The latter part of the path, modules/system/system.module , is generic to any Drupal setup. But the former part, /home/your-directory/your-Drupal-installation/ , refers specifically to your own directory setup. That's obviously useful to the admin (should he for some reason not know the path), but is it wise to be revealing such directory info to strangers?
Maybe I'm imagining a non-existent danger. But following the general maxim of giving potential hackers no info they shouldn't have, is the above less than ideal? Is there a way to stop Drupal from revealing paths in its error messages?
Comments
Write to error log vs. screen
In your Drupal site configuration look for Error Reporting (admin/settings/error-reporting) and disable the writing errors to the screen. It should only be set to write to log for production sites. That's how I've always understood this. If you need to troubleshoot on a production site you can easily switch this to write to screen, troubleshoot, and then switch is back off.
As far as whether the home directory path is a security issue I'll let other Drupal security experts speak to this - I'm not positive on how much this would be worth to a malicious hacker but it's a good question. But I think you can prevent this by following the instructions above.
Others may have better suggestions?
hope that helps.
-backdrifting
Hiding path info in error messages
Thank you! That's exactly what I was looking for. I thought the answer was in the settings somewhere, but couldn't recall it.
Like you, I couldn't say exactly what the path info tells a malicious hacker that s/he couldn't find out otherwise. But I just want to follow the general maxim of keeping a lid on any system info I don't mean to give out.
Thanks again!