Re: [PHP-DEV] Security Issues

Fri, 27 Jul 2001 01:11:12 -0700 

> At 08:48 26/07/2001, Rasmus Lerdorf wrote:
> > > Just replace your if ($ok) with if (!empty($ok)), and you have a perfect
> > > exploitable code that produces no warnings.
> >
> >But in this case someone has gone to the trouble to figure out what
> >empty() does.  And generally they use empty() on things that come from the
> >user anyway.  I don't think I have ever seen people use empty() to check
> >to see if they themselves have set an internal variable to something.
>
> I have...  And quite a lot use isset(), which is much more common and
> popular than empty().  My guess is that we're dealing with a fairly big
> number of users/scripts here, which are exploitable even though they're
> 'clean' scripts with no warnings.  I'm all in favour of turning E_NOTICE's
> on (I was since day one and so was Andi, but  back then, most people
> supported the 'loose' behavior of PHP/FI 2 as a default, and leave
> E_NOTICEs as an option you have to explicitly turn on).

I think you missed my point.  People use empty() and isset() on a variable
to check to see if that variable was set by the user.  As such that
variable is unclean and whether it came in via register_globals or not is
quite irrelevant.  If it is unclean it is unclean.  It doesn't matter at
all which mechanism (GET/POST/COOKIE) populated the data from a security
perspective.

> I actually think that turning E_NOTICE on is going to have a huge effect on
> a mind boggling number of scripts, probably on the same order of magnitude
> as setting register_globals to off (probably less, but not that much
> less).  I think that unless we explain explicitly and vocally why we're
> making these changes  (register_globals and/or error level), people will
> just reconfigure php.ini to the old settings - I don't think they'll start
> running after new E_NOTICE's they suddenly get after upgrading, unless
> they'd know they have a good reason to.

Baby-steps are needed for changes like this.  We can get away with the
E_NOTICE change I think.  The register_globals change is much too drastic
and it changes the basic nature of the language.  There are plenty of
people using PHP today who have no clue what an array is.

-Rasmus


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to