ID: 28956
User updated by: lps at cwru dot edu
Reported By: lps at cwru dot edu
Status: Open
Bug Type: HTTP related
Operating System: Linux
PHP Version: 4.3.7
New Comment:
Ok, this really appears to be a feature, not a bug. Admittedly I'm
new to PHP, but this appears to be an undocumented feature. Nothing is
obvious from scanning the manual or looking through the php.ini file.
The PHP interpreter seems to be keeping track of some kind of "dirty
variable". Certainly, it appears to be intentionally preventing me
from setting headers based off of content in
$_SERVER["REQUEST_METHOD"]. Of course, this is a computationally
undecidable problem, so in order for such a feature to work, there
must be cases where the header will always be posted, yet this feature
won't let it happen.
I've found such a case, and pretty strong evidence for "dirty
variables":
<?php
$is_post = ($_SERVER["REQUEST_METHOD"] == "POST");
if ($is_post) {
$foo = ! 0;
} else {
$foo = ! 1;
}
$foo = "bar";
if ($foo == "bar") {
header("Cache-Control: no-store");
} ?>
Now, this header doesn't get set. However, it does if you change the
last two occurances of "foo" to "baz" instead. Admittedly, echoing
data from GET and POST into http-headers allows for some truly nasty
attacks. But it's trivially easy to introduce Cross-Site Scripting
vulnerabilities and other sorts of perhaps lesser evils....
Where is this feature documented, and how do you turn this feature off?
Previous Comments:
------------------------------------------------------------------------
[2004-06-29 08:37:20] lps at cwru dot edu
Description:
------------
I've tested this buggy script on two substantially different setups:
Redhat Linux 5.2 running Apache-1.3.31/PHP 4.3.3
Gentoo Linux V1.4 running Yaws-1.40/PHP 4.3.7
The http-header is posted ok if either:
1. You change the "echo" to "$foo =" and move the header("Cache..")
to after the if-statement.
2. The condition in the if statement does not refer to a preset
variable.
Hope this helps,
Leon
Reproduce code:
---------------
<?php
header("Testing: 123");
if ($_SERVER["REQUEST_METHOD"] == "POST") {
header("Cache-Control: no-store");
echo $_POST["foo"];
}
?>
<html>
<head>
<title> Bug in PHP 4.3.3 and PHP 4.3.7 </title>
</head>
<body>
<form action="test.php" method="post">
<textarea name="foo">When you submit this, you will not get a
'Cache-Control: no-store' header.</textarea>
<input type="submit" />
</form>
</body>
</html>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=28956&edit=1
