ID: 28956
Updated by: [EMAIL PROTECTED]
Reported By: lps at cwru dot edu
-Status: Open
+Status: Bogus
Bug Type: HTTP related
Operating System: Linux
PHP Version: 4.3.7
New Comment:
Uh? What in the world are you talking about? There is no such
dirty-variable feature in PHP. Your code example makes no sense. If
you do:
$foo = "bar";
if($foo == "bar") { action }
Then obviously that action will be taken no matter what you do before
or after.
Pasting your exact code example on my server here and checking the
headers I see the Cache-Control header perfectly:
2:45am thinkpad:~> cat www/t.php
<?php
$is_post = ($_SERVER["REQUEST_METHOD"] == "POST");
if ($is_post) {
$foo = ! 0;
} else {
$foo = ! 1;
}
$foo = "bar";
if ($foo == "bar") {
header("Cache-Control: no-store");
} ?>
2:45am thinkpad:~> HEAD http://localhost/t.php
200 OK
Cache-Control: no-store
Connection: close
Date: Tue, 29 Jun 2004 09:46:01 GMT
Server: Apache/1.3.30-dev (Unix) PHP/4.3.8-dev
Content-Type: text/html
Client-Date: Tue, 29 Jun 2004 09:46:01 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
X-Powered-By: PHP/4.3.8-dev
Previous Comments:
------------------------------------------------------------------------
[2004-06-29 10:58:00] lps at cwru dot edu
Ok, this really appears to be a feature, not a bug. Admittedly I'm
new to PHP, but this appears to be an undocumented feature. Nothing is
obvious from scanning the manual or looking through the php.ini file.
The PHP interpreter seems to be keeping track of some kind of "dirty
variable". Certainly, it appears to be intentionally preventing me
from setting headers based off of content in
$_SERVER["REQUEST_METHOD"]. Of course, this is a computationally
undecidable problem, so in order for such a feature to work, there
must be cases where the header will always be posted, yet this feature
won't let it happen.
I've found such a case, and pretty strong evidence for "dirty
variables":
<?php
$is_post = ($_SERVER["REQUEST_METHOD"] == "POST");
if ($is_post) {
$foo = ! 0;
} else {
$foo = ! 1;
}
$foo = "bar";
if ($foo == "bar") {
header("Cache-Control: no-store");
} ?>
Now, this header doesn't get set. However, it does if you change the
last two occurances of "foo" to "baz" instead. Admittedly, echoing
data from GET and POST into http-headers allows for some truly nasty
attacks. But it's trivially easy to introduce Cross-Site Scripting
vulnerabilities and other sorts of perhaps lesser evils....
Where is this feature documented, and how do you turn this feature off?
------------------------------------------------------------------------
[2004-06-29 08:37:20] lps at cwru dot edu
Description:
------------
I've tested this buggy script on two substantially different setups:
Redhat Linux 5.2 running Apache-1.3.31/PHP 4.3.3
Gentoo Linux V1.4 running Yaws-1.40/PHP 4.3.7
The http-header is posted ok if either:
1. You change the "echo" to "$foo =" and move the header("Cache..")
to after the if-statement.
2. The condition in the if statement does not refer to a preset
variable.
Hope this helps,
Leon
Reproduce code:
---------------
<?php
header("Testing: 123");
if ($_SERVER["REQUEST_METHOD"] == "POST") {
header("Cache-Control: no-store");
echo $_POST["foo"];
}
?>
<html>
<head>
<title> Bug in PHP 4.3.3 and PHP 4.3.7 </title>
</head>
<body>
<form action="test.php" method="post">
<textarea name="foo">When you submit this, you will not get a
'Cache-Control: no-store' header.</textarea>
<input type="submit" />
</form>
</body>
</html>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=28956&edit=1
