On Jan 16, 2008, at 11:55 , Stanislav Malyshev wrote:
I dont understand the problem. You use request if you do not care
where a parameter is set and you use the other superglobals when
you do care.
The problem is that variables_order should specify what gets into
_REQUEST (as documented in the manual) and as Stefan reports it
doesn't exactly do that.
I think having control of what ends up in _REQUEST and how is
useful, and variables_order should work as specified.
Ah ok .. sorry for having missed that point. Of course I was assuming
that the feature worked as advertised. I guess I was thrown off by the
fact that Stefan initially made it sound like the concept in general
is flawed and would automatically make an application insecure.
Obviously a buggy implementation of such a critical piece could lead
to some issues, though like I said in this case I hardly see this as a
security risk. Relying on $_REQUEST to implement your security policy
around what methods are allowed to pass in input seems unusual. More
likely someone relying on this, did not think about security in the
first place. Anyways, if this bug exists it should get fixed .. just
weird that we need such a lengthy (and unfocused) discussion to report
a bug and find a patch or it.
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
