Stanislav Malyshev schrieb: >> @Richard: You don't understand the Problem with _REQUEST. It is not >> about the fact that someone can forge GET, POST; COOKIE variables. >> It is about the fact that COOKIEs will overwrite GET and POST data in >> REQUEST. > > Isn't it solved by setting variables_order to correct value, at least > partially? I.e. if you have variable in GET/POST it won't be > overwritten by the COOKIE one, of course there still may be a scenario > when the variable is set only in COOKIE, but then doesn't omitting 'C' > from variables_order exclude cookies from _REQUEST? > Changing the variables_order to CGP is not a good idea either, because then applications that use cookies through _REQUEST could be tricked by simple _GET variables. Session Fixation vulnerabilities in selfmade session management systems come to mind.
Unfortunately removing C from variables_order does not only remove cookies from _REQUEST but removes the content of _COOKIE. And that would kill e.g. ext/session. It would have been a good idea to have such a configuration option that allows to specify what is in _REQUEST and what not... Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
