Rasmus Lerdorf ([EMAIL PROTECTED]) wrote:
> How to get there...
>
> For 4.0.7:
>
> - We leave all default configuration settings as they are now.
> - We add $_GET, $_POST, $_COOKIE, $_ENV, $_SERVER and perhaps make them
> super-globals like $GLOBALS
+1
> - We add a new function, somewhat like the current extract() which looks
> something like this:
> // Another use:
> // Only import the given variables from Post or Cookie data.
> import_globals("PC",array('user','password','first','last'));
+1
> - With the release of 4.0.7 we start hyping this security issue by
> linking to a spruced up version of the security chapter in the manual
> which describes how exactly to use these new tools.
I'm writing "A study in resilience", as a response to the "Study in
Scarlet" newsletter. A bit late, but it can provide a discussion point.
I'd be happy to see it modified and included in the security chapter.
I like your reasoning for import_globals(). I was wondering if there
was any thought on my earlier proposal, which would be largely a SAPI
change that:
- dies if GET variable is specified while method != GET
- dies if a file in HTTP_POST_FILES fails is_uploaded_file().
This doesn't solve all the items mentioned in the advisory, but it
squishes quite a few!
-Steve
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
