subject:"\[PHP\-DEV\] Bug #15108 Updated\: Server variables to exist globally w\/ register

[PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off

2002-01-18 Thread hholzgra


ID: 15108
Updated by: hholzgra
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Bogus
Bug Type: Feature/Change Request
Operating System: n/a
PHP Version: 4.1.1
New Comment:

 But most importantly, this will be useful.

no it won't, same security consideration as with
the other global registrations




Previous Comments:


[2002-01-18 16:14:25] [EMAIL PROTECTED]

In short, when register_globals = off, server variables would/should
continue to register globally.  Variables such as:

  $PHP_SELF, $DOCUMENT_ROOT, $REMOTE_ADDR, etc.

As currently they do not.  And on a sidenote, the current docs imply
that server variables always exist, regardless of setting.  Some
possible options:

a) Create a new config setting, such as register_server_globals or
register_predefined_globals
b) Make register_globals allow for individual EGPCS settings (default
to S)
c) Make server variables always exist, like track_vars do now.
d) ...

This will help ease the register_globals = off transition as well as
cause a lot less 4.2.0 BROKE PHP!!! emails.  But most importantly,
this will be useful.





Edit this bug report at http://bugs.php.net/?id=15108edit=1


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off

2002-01-18 Thread Hartmut Holzgraefe


Philip Olson wrote:

 Having php create $DOCUMENT_ROOT and similar is not a security risk.  

  Please provide an example of what you mean, I do not understand.

different server APIs have different sets of server variables,
so we get into the same situation as with other 'magic'
variables. it's far less risky as global registration of
form input, but still not a good thing


 I believe this feature request is a good one.  


IMHO not, as we want to advertise using the new arrays instead of
registered globals, so we shouldn't create exceptions to the rule

esp. your ease of transition argument is bogus, as people will
have to review and adapt their code anyway as soon as register_globals
is of, so why not get rid of all of the globals, why create a special
case for the server ones?



-- 
Hartmut Holzgraefe  [EMAIL PROTECTED]  http://www.six.de  +49-711-99091-77




-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off

2002-01-18 Thread philip


ID: 15108
Updated by: philip
Reported By: [EMAIL PROTECTED]
Old Status: Bogus
Status: Feedback
Bug Type: Feature/Change Request
Operating System: n/a
Old PHP Version: 4.1.1
PHP Version: 4.2.0
New Comment:

After some searching, came across an important thread that my brain
never saw.  The proposal on the issue of register_globals and the big
change:

  http://marc.theaimsgroup.com/?l=php-devm=99638397319055

Which includes some great information.  Including import_globals(),
which in short, my concern is solved by: import_globals('S').  This
next thread (very long) is very related too, which existed before the
above proposal:

  http://marc.theaimsgroup.com/?l=php-devm=99600275103594

It's all sounds good.  

But :)  Throughout the history of the manual, it's been *implied* that
predefined server variables are registered globally.  This will
obviously change (see #14472) but point is, this is a potential
problem.  Is this worth doing anything else about?  Like, defaulting
PHP with 'S' (or ES) for a release or two?  Or, would that just add
unneeded confusion.



Previous Comments:


[2002-01-18 16:52:14] [EMAIL PROTECTED]

 But most importantly, this will be useful.

no it won't, same security consideration as with
the other global registrations





[2002-01-18 16:14:25] [EMAIL PROTECTED]

In short, when register_globals = off, server variables would/should
continue to register globally.  Variables such as:

  $PHP_SELF, $DOCUMENT_ROOT, $REMOTE_ADDR, etc.

As currently they do not.  And on a sidenote, the current docs imply
that server variables always exist, regardless of setting.  Some
possible options:

a) Create a new config setting, such as register_server_globals or
register_predefined_globals
b) Make register_globals allow for individual EGPCS settings (default
to S)
c) Make server variables always exist, like track_vars do now.
d) ...

This will help ease the register_globals = off transition as well as
cause a lot less 4.2.0 BROKE PHP!!! emails.  But most importantly,
this will be useful.





Edit this bug report at http://bugs.php.net/?id=15108edit=1


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off

Re: [PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off

[PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off

3 matches

Site Navigation

Mail list logo

Footer information