Re: [fw-general] Deployment dependent code

Mon, 25 Jun 2007 09:29:33 -0700

I know andries knows this, but for those others on the list, the security issues with $_SERVER are simply related to where that data comes from. HTTP_HOST for example comes from the client's GET request and something as simple as a HOSTS file can allow someone to change that value to whatever they want.
That said, if you define a server environment variable to a value using SetEnv, it can both be trusted and recommended. There are other variables too like SSL auth variables that are equally trustworthy. Just know where your data is coming from and don't make assumptions. 

K

----- Original Message ----- 
From: "Andries Seutens" <[EMAIL PROTECTED]>

To: "Kevin McArthur" <[EMAIL PROTECTED]>

Cc: "Stephan Stapel" <[EMAIL PROTECTED]>; "Gunter Sammet" 
<[EMAIL PROTECTED]>; "Zend Framework" <[email protected]>

Sent: Monday, June 25, 2007 10:24 AM
Subject: Re: [fw-general] Deployment dependent code



Kevin,


I am saying that you shouldn't trust the $_SERVER superglobal as much as 
most people think. If you use it, just make sure you take the proper 
security precautions.


Best,

Andries Seutens

Kevin McArthur schreef:

I must disagree. There is no viable way for an attacker to override a 
vhost set SetEnv.


I use a SetEnv configuration production|beta|etc


I then use Zend_Config_Ini to load a derived section based on the 
SetEnv'd value. This means that the code in your SVN for example, can be 
identical and function differently based on the server configuration. I 
would advise though, to also check for display_errors ini setting before 
echoing any sensitive error information.


Kevin


----- Original Message ----- From: "Andries Seutens" 
<[EMAIL PROTECTED]>

To: "Stephan Stapel" <[EMAIL PROTECTED]>

Cc: "Gunter Sammet" <[EMAIL PROTECTED]>; "Zend Framework" 
<[email protected]>

Sent: Monday, June 25, 2007 10:09 AM
Subject: Re: [fw-general] Deployment dependent code



Stephan Stapel schreef:

Have a look at Zend_Config 
(http://framework.zend.com/manual/en/zend.config.adapters.ini.html 
<http://framework.zend.com/manual/en/zend.config.adapters.ini.html>).



I am already using the config classes. I was just asking myself if 
someone has best practises on using these classes.



In fact, I'm already using Zend_Config_Xml with multiple sections, one 
for each environment.



Is this the path that you'd also sugggest to take? And how to best 
decide which section is correct? Based on the $_SERVER['HTTP_POST'] 
value? Or are there better alternatives?


Regards,

Stephan



Hi Stephan,


I would not recommend to base your configuration on the $_SERVER['*'] 
superglobal.  Why? Because it could be manipulated by an attacker.



I would recommend you to hardcode your configuration somewhere in your 
bootstrap file, by defining a constant or similar.


Best,

Andries Seutens
http://andries.systray.be




























					Reply via email to