Hi Phil!
On Sat, 28 Jul 2001, Phil Driscoll wrote:
> > That's not going to find half, or a quarter, or whatever of the problems,
> > since PHP has tools to cleanly handle undefined variables - namely isset()
> > and empty(). They, or at least isset(), are quite popular.
>
> I always use something like:
>
> if(!isset($Thing) /*and possibly some range checking*/))
> $Thing="sensible default";
>
> In no way is
>
> if(!isset(_GET['Thing']) /*and possibly some range checking*/))
> {
> $Thing="sensible default";
well, lemme tell you my favourite:
$defRequest = array ('thing1' => '', 'thing2'=>'' /* ... */);
$myRequest = array_merge ($defRequest, $HTTP_GET_VARS); /* or POST*/;
This way you'll be able to simply say:
if ($myRequest[<var>] != <default>) {
// do something
}
and be sure you have something there.
> any more secure (nor would it be if I wrote "sensible default" back to _GET.
>
> Anyway, to check my sanity i have reread the security advisory which I first
> read on the day it was published, and I am even more conviced now that
> register globals=off has the tiniest of effects for gpc variables wheras
> E_NOTICE has a massive effect.
>
> Here are the examples from the advisory:
>
> ------------------
> <?php
> if ($pass === "hello") //= corrected to ===
> $auth = 1;
> ...
> if ($auth == 1)
> echo "some important information";
> ?>
>
> replace $pass with _GET['pass'] and the code is
> equally insecure. Turn E_NOTICE on and the novice programmer will get a
nope,
in the first case I can say http://your.site/your_page.php?pass=whatever&auth=1
> warning message for the unset $pass.
> ------------------
> <?php
> if (!($fd = fopen("$filename", "r"))
> echo("Could not open file: $filename<BR>\n");
> ?>
>
> replace $filename with _GET['filename'] and this lunatic piece of code
> remains a lunatic piece of code. If $filename is not meant to be coming from
> the outside world then with E_NOTICE on there would be a warning message for
> the unset filename.
The issue here was as always 'untrusted user data' used as trusted (I can say
?fielname='../../../etc/passwd' etc.)
And *maybe* seeing :
$fd = fopen ($_GET['filename'],'r');
something will click in the mind of the programmer ('geez, wait, this is
*straight* form the request[is sais GET], what if...)
> ------------------
> <?php
> include($libdir . "/languages.php");
> ?>
> Ok, with register_globals=off then $libdir could not be directly overwritten
> from outside (unless there was some code which made that happen) however
> E_NOTICE would generate a warning for an unset $libdir
Again, it will be set, and no notice will pop up, but it will be set by the
evil guy.
The advisory was not like one from eEye as clear and professional, but had a
very well defined point. And sadly, it was right.
-- teodor
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
