ID: 16155 Updated by: [EMAIL PROTECTED] -Summary: track_vars doesn't work unless register_globals is also set Reported By: [EMAIL PROTECTED] -Status: Bogus +Status: Open Bug Type: PHP options/info functions Operating System: RH 7.2 PHP Version: 4.1.2 New Comment:
No, it is a bug. The problem is that if the configuration data comes from Apache rather than /etc/php.ini, the tracking variables aren't initialized correctly as described. Previous Comments: ------------------------------------------------------------------------ [2002-03-19 04:19:24] [EMAIL PROTECTED] So it was not a bug, but a configuration problem. ------------------------------------------------------------------------ [2002-03-18 23:27:16] [EMAIL PROTECTED] Ah, I think I understand maybe why you can't replicate this. In my /etc/httpd/conf/include.d directory (the entire dir is parsed by Apache on startup), I have a file that has the following lines in it, in the order following: php_value variables_order "es" php_flag register_globals Off Remove the file containing these lines, and it works. Install the file containing these lines, and it fails. ------------------------------------------------------------------------ [2002-03-18 23:14:35] [EMAIL PROTECTED] Maybe this should be registered against the RedHat distribution? It's 100% consistent for me. ------------------------------------------------------------------------ [2002-03-18 23:03:06] [EMAIL PROTECTED] Uh, can anybody reproduce this? I certainly can't. HTTP_*_VARS are definitely on for me regardless of the register_globals setting. I suspect user error here. ------------------------------------------------------------------------ [2002-03-18 18:18:54] [EMAIL PROTECTED] The entire point of "register_globals Off" is to provide a mechanism to disable automatic registration of EGPCS (Environment, Get, Post, Cookie, System) variables. However, for this to be an effective strategy, scripts need access to these variables by other means. This SHOULD be the HTTP_*_VARS and _GET[], _POST[], etc. variables. But as of 4.1.2, track_vars (which is set on by default) doesn't work unless (1) register_globals is set On, AND (2) variables_order contains the particular type of variable you want. That is, unless you set variables_order to contain "G", neither _GET[] nor HTTP_GET_VARS[] will be contain the results from the GET request, but if variables_order does contain "G", they *will*. Considering the number of exploits caused by namespace pollution that register_globals has been accused (and convicted) of, this is about as serious a security bug as I can think of. I will be digging through the source tree to come up with a patch. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=16155&edit=1