ID: 16155
Updated by: [EMAIL PROTECTED]
-Summary: track_vars doesn't work unless register_globals is
also set
Reported By: [EMAIL PROTECTED]
-Status: Bogus
+Status: Open
Bug Type: PHP options/info functions
Operating System: RH 7.2
PHP Version: 4.1.2
New Comment:
No, it is a bug. The problem is that if the configuration data comes
from Apache rather than /etc/php.ini, the tracking variables aren't
initialized correctly as described.
Previous Comments:
------------------------------------------------------------------------
[2002-03-19 04:19:24] [EMAIL PROTECTED]
So it was not a bug, but a configuration problem.
------------------------------------------------------------------------
[2002-03-18 23:27:16] [EMAIL PROTECTED]
Ah, I think I understand maybe why you can't replicate this. In my
/etc/httpd/conf/include.d directory (the entire dir is parsed by Apache
on startup), I have a file that has the following lines in it, in the
order following:
php_value variables_order "es"
php_flag register_globals Off
Remove the file containing these lines, and it works. Install the file
containing these lines, and it fails.
------------------------------------------------------------------------
[2002-03-18 23:14:35] [EMAIL PROTECTED]
Maybe this should be registered against the RedHat distribution? It's
100% consistent for me.
------------------------------------------------------------------------
[2002-03-18 23:03:06] [EMAIL PROTECTED]
Uh, can anybody reproduce this? I certainly can't. HTTP_*_VARS are
definitely on for me regardless of the register_globals setting. I
suspect user error here.
------------------------------------------------------------------------
[2002-03-18 18:18:54] [EMAIL PROTECTED]
The entire point of "register_globals Off" is to provide a mechanism to
disable automatic registration of EGPCS (Environment, Get, Post,
Cookie, System) variables. However, for this to be an effective
strategy, scripts need access to these variables by other means. This
SHOULD be the HTTP_*_VARS and _GET[], _POST[], etc. variables. But as
of 4.1.2, track_vars (which is set on by default) doesn't work unless
(1) register_globals is set On, AND
(2) variables_order contains the particular type of variable you want.
That is, unless you set variables_order to contain "G", neither _GET[]
nor HTTP_GET_VARS[] will be contain the results from the GET request,
but if variables_order does contain "G", they *will*.
Considering the number of exploits caused by namespace pollution that
register_globals has been accused (and convicted) of, this is about as
serious a security bug as I can think of. I will be digging through
the source tree to come up with a patch.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=16155&edit=1
