Re: [PHP] PHP 5 Strings are References?!

Tue, 05 Apr 2005 22:25:58 -0700 

On Wed, March 30, 2005 6:48 am, Jochem Maas said:
>>> I don't really think that's relevant, however, as PHP is storing $name
>>> back *IN* to my $_SESSION data, just because I did:
>>> $name = $_SESSION['name'];
>>> $name = "Fooey";
>>>
>>> $name is a STRING.
>>>
>>> It's not an object.
>>>
>>> It should *NOT* be a Reference!
>>>
>>> But it is a Reference, so changing $name alters $_SESSION['name']

Perhaps I'm being overly paranoid...

Consider the following, however.

Fact: One should not trust $_GET data, and should scrub it.

Fact: I'm on a shared server.

Fact: By definition, if *my* PHP script can read my session data, so can
*another* user's script on that server.

Thus, I had intended to 'scrub' session data with things like:

<?php
  session_start();
  $name = $_SESSION['name'];
  $name = preg_replace('/[^A-Za-z \',\\.-]/', $name);
  if ($name != $_SESSION['name']){
    // assume they are Bad People.
  }
?>

Needless to say, this isn't gonna do crap with this bug in PHP 5.0.3
making strings into references.

For the short term, I'm trusting session data (but not GET/POST, duh).

I suspect I could do:
$name = '' . $_SESSION['name'];
or somesuch to force the string to not be a reference.

But PHP doesn't *HAVE* strings as references.

I filed a bug report, but sniper's response was pretty much the same
auto-response "register_globals"

OTOH, he said it was fixed in CVS, so I guess it was only in 5.0.3???

Am I over-reacting?

I don't think so.

It's a nasty little bug that will completely bypass security measures to
scrub SESSION data, as described above.

I haven't really probed into this, to see how far / long the "reference"
nature of the string extends.

Perhaps the preg_replace would create a copy of the string...  Or not.  Or
maybe it would depend on if anything got replaced or not.  Or...

Sorry to reply so late, but I've been a tad busy lately, and just caught
up on PHP-General tonight.  [looks at watch]  Errr, make that this
morning, I guess. :-v

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to