From: [EMAIL PROTECTED] Operating system: RH 7.2 PHP version: 4.1.2 PHP Bug Type: Apache related Bug description: Some predefined variables allow GET overwrite
It is possible to overwrite some predefined variables using GET URI variables (also, I would imagine, POST vars, but it's harder to test for those). Consider the following as foo.php: <? $varlist = array('DOCUMENT_ROOT', 'GATEWAY_INTERFACE', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_CONNECTION', 'HTTP_COOKIE_VARS', 'HTTP_ENV_VARS', 'HTTP_GET_VARS', 'HTTP_HOST', 'HTTP_POST_FILES', 'HTTP_POST_VARS', 'HTTP_REFERER', 'HTTP_SERVER_VARS', 'HTTP_USER_AGENT', 'PATH_TRANSLATED', 'PHP_SELF', 'QUERY_STRING', 'REMOTE_ADDR', 'REMOTE_PORT', 'REQUEST_METHOD', 'REQUEST_URI', 'SCRIPT_FILENAME', 'SERVER_ADMIN', 'SERVER_NAME', 'SERVER_PORT', 'SERVER_PROTOCOL', 'SERVER_SIGNATURE', 'SERVER_SOFTWARE'); foreach ($varlist as $i) print "$i = '".${$i}."'<br>\n"; ?> ============= If I now invoke http://www.foo.com/foo.php?HTTP_ACCEPT_CHARSET=blarg or http://www.foo.com/foo.php?HTTP_REFERER=blarg, I get "blarg" for either of those variables, rather than the value that should have been there from Apache and/or PHP. -- Edit bug report at http://bugs.php.net/?id=16052&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=16052&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=16052&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=16052&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=16052&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=16052&r=support Expected behavior: http://bugs.php.net/fix.php?id=16052&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=16052&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=16052&r=submittedtwice