On Jan 16, 2008, at 9:17 , Stefan Esser wrote:
Stanislav Malyshev schrieb:
@Richard: You don't understand the Problem with _REQUEST. It is not
about the fact that someone can forge GET, POST; COOKIE variables.
It is about the fact that COOKIEs will overwrite GET and POST data
in
REQUEST.
Isn't it solved by setting variables_order to correct value, at least
partially? I.e. if you have variable in GET/POST it won't be
overwritten by the COOKIE one, of course there still may be a
scenario
when the variable is set only in COOKIE, but then doesn't omitting
'C'
from variables_order exclude cookies from _REQUEST?
Changing the variables_order to CGP is not a good idea either, because
then applications that use cookies through _REQUEST could be tricked
by
simple _GET variables. Session Fixation vulnerabilities in selfmade
session management systems come to mind.
Unfortunately removing C from variables_order does not only remove
cookies from _REQUEST but removes the content of _COOKIE. And that
would
kill e.g. ext/session.
It would have been a good idea to have such a configuration option
that
allows to specify what is in _REQUEST and what not...
I dont understand the problem. You use request if you do not care
where a parameter is set and you use the other superglobals when you
do care. End of story. I hardly see this as a general security risk
and it surely isnt a general annoyance like magic quotes gpc.
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
