From: [EMAIL PROTECTED] Operating system: RH 7.2 PHP version: 4.1.2 PHP Bug Type: PHP options/info functions Bug description: track_vars doesn't work unless register_globals is also set
The entire point of "register_globals Off" is to provide a mechanism to disable automatic registration of EGPCS (Environment, Get, Post, Cookie, System) variables. However, for this to be an effective strategy, scripts need access to these variables by other means. This SHOULD be the HTTP_*_VARS and _GET[], _POST[], etc. variables. But as of 4.1.2, track_vars (which is set on by default) doesn't work unless (1) register_globals is set On, AND (2) variables_order contains the particular type of variable you want. That is, unless you set variables_order to contain "G", neither _GET[] nor HTTP_GET_VARS[] will be contain the results from the GET request, but if variables_order does contain "G", they *will*. Considering the number of exploits caused by namespace pollution that register_globals has been accused (and convicted) of, this is about as serious a security bug as I can think of. I will be digging through the source tree to come up with a patch. -- Edit bug report at http://bugs.php.net/?id=16155&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=16155&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=16155&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=16155&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=16155&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=16155&r=support Expected behavior: http://bugs.php.net/fix.php?id=16155&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=16155&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=16155&r=submittedtwice
