Rasmus Lerdorf ([EMAIL PROTECTED]) wrote:
> How to get there...
> For 4.0.7:
>  - We leave all default configuration settings as they are now.
>  - We add $_GET, $_POST, $_COOKIE, $_ENV, $_SERVER and perhaps make them
>    super-globals like $GLOBALS


>  - We add a new function, somewhat like the current extract() which looks
>    something like this:
>      // Another use:
>      // Only import the given variables from Post or Cookie data.
>      import_globals("PC",array('user','password','first','last'));


>  - With the release of 4.0.7 we start hyping this security issue by
>    linking to a spruced up version of the security chapter in the manual
>    which describes how exactly to use these new tools.

I'm writing "A study in resilience", as a response to the "Study in
Scarlet" newsletter.  A bit late, but it can provide a discussion point.
I'd be happy to see it modified and included in the security chapter.

I like your reasoning for import_globals().  I was wondering if there
was any thought on my earlier proposal, which would be largely a SAPI
change that:

- dies if GET variable is specified while method != GET
- dies if a file in HTTP_POST_FILES fails is_uploaded_file().

This doesn't solve all the items mentioned in the advisory, but it
squishes quite a few!


PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to