On Friday 27 July 2001 17:35, Zeev Suraski wrote:
> Have you read the advisory? That's simply not true.
Yes, and I beleive it is true in most cases.
> There are two main types of security problems related to this:
> (a) Ones that originate in the fact that people don't know they mustn't
> trust any input coming from the user, be it GET, POST or cookies, that
> they're all insecure
So, you admit that register_globals=off for GPC variables gains us nothing,
but will break shed loads of code?
> (b) Ones that don't, and there are many of them
>
> For those of type (a), register_globals being off or on doesn't change
> much. For (b), it does, big time.
Then if you don't like my suggestion, how about a half way house -
register-globals=GPC registers the insecure variables in the global namespace
since we can't trust them wherever they appear in the namespace, whilst env
variables and possibly session variables have to be read out of arrays.
I know that this would break none of my scripts, but I can't speak for other
scripts out there.
I do feel, however, that you are really missing the point on E_NOTICE which
IMHO has a much greater effect on the security of PHP than accessing GPC
variables in a different way. I'd personally be even harsher than E_NOTICE is
- if a production site generates a notice message for an uninitialised
variable, then that's a fatal error in my book!
Cheers
--
Phil Driscoll
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
