Stephen van Egmond schrieb:

Zeev Suraski ([EMAIL PROTECTED]) wrote:
> - register_globals=on leads to insecure code, which was demonstrated time
> and time again in the past.
> - Once it's off, we're going to provide methods of accessing variables
> which are just as easy, and quite easier in case you access them from
> functions.  Having form variables register as global variables is not the
> 11th commandment, and it's kind of odd to see people treat it as such.

It is quite the handy feature, and it will be a bummer to see it go.

> - E_NOTICE is a runtime issue, one which you would have to check under all
> possible paths in your logic.  That's why leaving security stuff to runtime
> is always never a good idea.  Setting register_globals to off gives you
> development-time security.

I must point out that if we're referring to existing code bases,
E_NOTICE and register_globals=off require as much work: all code paths
have to be exercised to catch all the old-style idioms.

I was trying to step back a bit and identify some of the patterns in
the attacks identified in the paper.  One extremely popular pattern was
spoofing variables by overwriting them: GET variables overwriting
POST, usually, and I suggested that some SAPI stunt be pulled to catch

Although this would improve things, it bears noting that:

- it deprecates a valid (on Apache) idiom which, at least, Rasmus uses
- this only makes it harder to spoof variables, not impossible.
  But at least that's something.

Whatever. The idea hasn't caught on.  I recognize it probably wasn't


PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to