[PHP-DEV] Bug #14425 Updated: extract() can overwrite $GLOBALS within a function context

Tue, 11 Dec 2001 11:53:06 -0800 

ID: 14425
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Variables related
Operating System: Linux (Mandrake 8.1)
PHP Version: 4.0.6
New Comment:

Similarily, this bug is also found in class methods.

class a
{ 
function test()
{
$a=array("this"=>"nothing","GLOBALS"=>"nothing");
extract($a);
var_dump($this);
var_dump($GLOBALS);
}
}
$a=new a();
$a->test();

// Both this and GLOBALS are overwritten by extract.
// I would have hoped that would not have happened.



Previous Comments:
------------------------------------------------------------------------

[2001-12-11 08:55:15] [EMAIL PROTECTED]

//I did this:
function test()
{ 
$a=array("GLOBALS"=>"nothing");
extract($a);
var_dump($GLOBALS);
}
test();
// The script will overwrite the $GLOBALS variable
// I did not want it to overwrite the $GLOBALS variable

// Then in the global scope, I did this:$a=array("GLOBALS"=>"nothing");
extract($a);
var_dump($GLOBALS);
//The script did not overwrite the $GLOBALS variable.
// It did what I wanted it to do.

By allowing the extract function to overwrite global variables within a function can 
lead to serious security holes.  Particularily if URL parameters are passed into a 
function that extracts them.  (And then if my function still expects GLOBALS to be 
legit, it could be passed false information.)

I suggest making extract unable to overwrite any global variables within a function.  
($GLOBALS, and any variables declared global $x, etc..) As a second measure it might 
be good to make extract more conservative in general by defaulting to EXTR_SKIP 
instead of EXTR_OVERWRITE

I can, of course, fix my own code for the time being to avoid this problem by using 
extract($params,EXTR_SKIP); However I think fixing the problem for PHP as a whole 
would help others as well.

Thank you.  Keep up the excellent work!
Phil


------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=14425&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to