On Friday 27 July 2001 17:35, Zeev Suraski wrote:

> Have you read the advisory?  That's simply not true.

Yes, and I beleive it is true in most cases.

> There are two main types of security problems related to this:
> (a) Ones that originate in the fact that people don't know they mustn't
> trust any input coming from the user, be it GET, POST or cookies, that
> they're all insecure

So, you admit that register_globals=off for GPC variables gains us nothing, 
but will break shed loads of code?

> (b) Ones that don't, and there are many of them
> For those of type (a), register_globals being off or on doesn't change
> much.  For (b), it does, big time.

Then if you don't like my suggestion, how about a half way house - 
register-globals=GPC registers the insecure variables in the global namespace 
since we can't trust them wherever they appear in the namespace, whilst env 
variables and possibly session variables have to be read out of arrays.
I know that this would break none of my scripts, but I can't speak for other 
scripts out there.

I do feel, however, that you are really missing the point on E_NOTICE which 
IMHO has a much greater effect on the security of PHP than accessing GPC 
variables in a different way. I'd personally be even harsher than E_NOTICE is 
- if a production site generates a notice message for an uninitialised 
variable, then that's a fatal error in my book!

Phil Driscoll

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to