Right, it only takes a bad sys admin to put the doors wide open :).
Bset,
Andries Seutens
Kevin McArthur schreef:
I know andries knows this, but for those others on the list, the
security issues with $_SERVER are simply related to where that data
comes from. HTTP_HOST for example comes from the client's GET request
and something as simple as a HOSTS file can allow someone to change that
value to whatever they want.
That said, if you define a server environment variable to a value using
SetEnv, it can both be trusted and recommended. There are other
variables too like SSL auth variables that are equally trustworthy. Just
know where your data is coming from and don't make assumptions.
K
----- Original Message ----- From: "Andries Seutens"
<[EMAIL PROTECTED]>
To: "Kevin McArthur" <[EMAIL PROTECTED]>
Cc: "Stephan Stapel" <[EMAIL PROTECTED]>; "Gunter Sammet"
<[EMAIL PROTECTED]>; "Zend Framework" <[email protected]>
Sent: Monday, June 25, 2007 10:24 AM
Subject: Re: [fw-general] Deployment dependent code
Kevin,
I am saying that you shouldn't trust the $_SERVER superglobal as much
as most people think. If you use it, just make sure you take the
proper security precautions.
Best,
Andries Seutens
Kevin McArthur schreef:
I must disagree. There is no viable way for an attacker to override a
vhost set SetEnv.
I use a SetEnv configuration production|beta|etc
I then use Zend_Config_Ini to load a derived section based on the
SetEnv'd value. This means that the code in your SVN for example, can
be identical and function differently based on the server
configuration. I would advise though, to also check for
display_errors ini setting before echoing any sensitive error
information.
Kevin
----- Original Message ----- From: "Andries Seutens"
<[EMAIL PROTECTED]>
To: "Stephan Stapel" <[EMAIL PROTECTED]>
Cc: "Gunter Sammet" <[EMAIL PROTECTED]>; "Zend Framework"
<[email protected]>
Sent: Monday, June 25, 2007 10:09 AM
Subject: Re: [fw-general] Deployment dependent code
Stephan Stapel schreef:
Have a look at Zend_Config
(http://framework.zend.com/manual/en/zend.config.adapters.ini.html
<http://framework.zend.com/manual/en/zend.config.adapters.ini.html>).
I am already using the config classes. I was just asking myself if
someone has best practises on using these classes.
In fact, I'm already using Zend_Config_Xml with multiple sections,
one for each environment.
Is this the path that you'd also sugggest to take? And how to best
decide which section is correct? Based on the $_SERVER['HTTP_POST']
value? Or are there better alternatives?
Regards,
Stephan
Hi Stephan,
I would not recommend to base your configuration on the
$_SERVER['*'] superglobal. Why? Because it could be manipulated by
an attacker.
I would recommend you to hardcode your configuration somewhere in
your bootstrap file, by defining a constant or similar.
Best,
Andries Seutens
http://andries.systray.be
