Zeev Suraski ([EMAIL PROTECTED]) wrote:
> - register_globals=on leads to insecure code, which was demonstrated time
> and time again in the past.
> - Once it's off, we're going to provide methods of accessing variables
> which are just as easy, and quite easier in case you access them from
> functions. Having form variables register as global variables is not the
> 11th commandment, and it's kind of odd to see people treat it as such.
It is quite the handy feature, and it will be a bummer to see it go.
> - E_NOTICE is a runtime issue, one which you would have to check under all
> possible paths in your logic. That's why leaving security stuff to runtime
> is always never a good idea. Setting register_globals to off gives you
> development-time security.
I must point out that if we're referring to existing code bases,
E_NOTICE and register_globals=off require as much work: all code paths
have to be exercised to catch all the old-style idioms.
I was trying to step back a bit and identify some of the patterns in
the attacks identified in the paper. One extremely popular pattern was
spoofing variables by overwriting them: GET variables overwriting
POST, usually, and I suggested that some SAPI stunt be pulled to catch
that.
Although this would improve things, it bears noting that:
- it deprecates a valid (on Apache) idiom which, at least, Rasmus uses
- this only makes it harder to spoof variables, not impossible.
But at least that's something.
Whatever. The idea hasn't caught on. I recognize it probably wasn't
worthy.
-Steve
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]