Edit report at http://bugs.php.net/bug.php?id=10519&edit=1
ID: 10519 Updated by: [email protected] Reported by: stuff at cheesygames dot net Summary: $HTTP_COOKIE_VARS spoofing -Status: Open +Status: Closed Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: Win98 PHP Version: 4.0.4pl1 -Assigned To: +Assigned To: jani Block user comment: N Private report: N New Comment: This is handled by variables_order. Since some PHP 5.x it has not been possible to spoof $_COOKIE, AFAIK. Previous Comments: ------------------------------------------------------------------------ [2001-08-31 12:10:11] [email protected] Not a bug (as stated by bbonev). Making it a feature/change request. ------------------------------------------------------------------------ [2001-04-29 16:34:05] [email protected] indeed i have missed one of the points - the fact that when passing data in the array form, all the values combine in a single array. further testing showed that the cookies also appear in HTTP_GET_VARS. i am sure that if there is a post to an url with a get var and some cookies (all varnames in array form) HTTP_*_ARRAY will contain all the values. this issue is a serious concern about the --enable-track-vars code. it must be resolved by overwriting the whole arrays, not adding data to them in order to be consistent e.g. get var: myarr[one]=1 post var: myarr[two]=2 cookie var: myarr[three]=3 gpc order is GPC the global array $myarr has only the 'one' key the HTTP_*_VARS have only the proper arrays ------------------------------------------------------------------------ [2001-04-29 13:23:27] [email protected] think about cookies the same way as GET data or POST data - they are at the same level and can be spoofed very easy with a cURL client for example. one can tell his client what cookie with what value to pass for a given request the issue here is not security but programmers comfort. but when one uses the short representations of variables she must be aware of the GPC order setting. i think this is the same like overriding a post variable with a get one. do you think this bug shall be closed? ------------------------------------------------------------------------ [2001-04-26 21:35:49] stuff at cheesygames dot net <? setCookie('cookie[one]','one'); setCookie('cookie[two]','two'); print_r($HTTP_COOKIE_VARS); ?> If you access this page with the command line arguement ?cookie[three]=three print_r will show cookie[three] in $HTTP_COOKIE_VARS. Just a bit of incongrous material, but for some sites could cause problems if cookies are spoofed thusly. Regards ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=10519&edit=1
