ID: 29570
Updated by: [EMAIL PROTECTED]
Reported By: grangeway at blueyonder dot co dot uk
Status: Bogus
Bug Type: Feature/Change Request
Operating System: any
PHP Version: 4.3.8
New Comment:
In case you don't believe me, try doing:
test[0]=<script>alert("Hello")</script>
and you will see exactly the same non-escaping in GET and QUERY_STRING.
So it is quite consistent in that array elements are not escaped when
displayed. I may fix that, but it still doesn't change the fact that
phpinfo() is a debugging function whose very content is insecure. XSS
is the least of your problems if you expose this output to the world.
Previous Comments:
------------------------------------------------------------------------
[2004-09-04 22:04:24] [EMAIL PROTECTED]
They are all escaped the same way.
------------------------------------------------------------------------
[2004-08-08 12:47:27] grangeway at blueyonder dot co dot uk
Description:
------------
Bug #24024 discusses the fact that _SERVER["argv"], does not convert
html entities e.g. < to < as phpinfo() is a debugging tool, and is
marked as bogus.
If this is the case, and content should not be escaped as phpinfo is
for debugging, then:
_SERVER["QUERY_STRING"]</td><td
class="v">test=<script>alert()</script></td></tr>
should not escape < to < and should be consistent with the behaviour
of _SERVER['argv'].
At the moment, _SERVER['argv'] and GET['test'] /
_SERVER["QUERY_STRING"]</ etc show different representations of the
same string, where in reality the value is the same.
Expected result:
----------------
Ideally All strings should be escaped.
If not (i.e. if this would hinder debugging), then no strings should be
escaped so that the output of any string in phpinfo matches the expected
value given when running var_dump on the variable.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=29570&edit=1
