ID: 10519
Updated by: bbonev
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Variables related
PHP Version: 4.0.4pl1
Assigned To:
Comments:
think about cookies the same way as GET data or POST data - they are at the same level
and can be spoofed very easy with a cURL client for example. one can tell his client
what cookie with what value to pass for a given request
the issue here is not security but programmers comfort. but when one uses the short
representations of variables she must be aware of the GPC order setting.
i think this is the same like overriding a post variable with a get one.
do you think this bug shall be closed?
Previous Comments:
---------------------------------------------------------------------------
[2001-04-26 21:35:49] [EMAIL PROTECTED]
<?
setCookie('cookie[one]','one');
setCookie('cookie[two]','two');
print_r($HTTP_COOKIE_VARS);
?>
If you access this page with the command line arguement
?cookie[three]=three
print_r will show cookie[three] in $HTTP_COOKIE_VARS.
Just a bit of incongrous material, but for some sites could cause problems if cookies
are spoofed thusly.
Regards
---------------------------------------------------------------------------
ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=10519&edit=2
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
