On Mon, October 23, 2006 6:26 pm, Rasmus Lerdorf wrote: > Peter Brodersen wrote: >> On Mon, 23 Oct 2006 10:38:31 -0700, in php.internals >> [EMAIL PROTECTED] (Rasmus Lerdorf) wrote: >> >>> I had left out SERVER filtering in the initial version for much the >>> same >>> reasoning, but it turns out that a good chunk of holes were due to >>> the >>> fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying >>> to >>> teach people which SERVER vars are safe and which aren't isn't a >>> fun >>> task and the whole point of the filter extension is to take away >>> the >>> guessing game. >> >> More well-known, the same goes for the HTTP headers populated in >> _SERVER as well, even though some might be less obvious than other. >> >> HTTP_HOST could be tainted as well in some cases where a DNS entry >> and >> ServerAlias of *.example.com exists. > > Actually, by using the Flash hack, you don't need wildcard DNS to > exploit that one. As anybody who has seen my ranting lately can > attest > to, name-based virtual hosting is completely broken until we get > everyone onto Flash9.
Haven't read the rant (yet) but, errrr, have they released Flash anything in this millenium for Linux?... Cuz it seems like I never can manage to get to download anything higher than Flash Player 6 for my Linux box desktop at home. Which is ancient hardware/OS, so maybe that's the issue... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
