[PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off
ID: 15108 Updated by: hholzgra Reported By: [EMAIL PROTECTED] Old Status: Open Status: Bogus Bug Type: Feature/Change Request Operating System: n/a PHP Version: 4.1.1 New Comment: But most importantly, this will be useful. no it won't, same security consideration as with the other global registrations Previous Comments: [2002-01-18 16:14:25] [EMAIL PROTECTED] In short, when register_globals = off, server variables would/should continue to register globally. Variables such as: $PHP_SELF, $DOCUMENT_ROOT, $REMOTE_ADDR, etc. As currently they do not. And on a sidenote, the current docs imply that server variables always exist, regardless of setting. Some possible options: a) Create a new config setting, such as register_server_globals or register_predefined_globals b) Make register_globals allow for individual EGPCS settings (default to S) c) Make server variables always exist, like track_vars do now. d) ... This will help ease the register_globals = off transition as well as cause a lot less 4.2.0 BROKE PHP!!! emails. But most importantly, this will be useful. Edit this bug report at http://bugs.php.net/?id=15108edit=1 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off
Philip Olson wrote: Having php create $DOCUMENT_ROOT and similar is not a security risk. Please provide an example of what you mean, I do not understand. different server APIs have different sets of server variables, so we get into the same situation as with other 'magic' variables. it's far less risky as global registration of form input, but still not a good thing I believe this feature request is a good one. IMHO not, as we want to advertise using the new arrays instead of registered globals, so we shouldn't create exceptions to the rule esp. your ease of transition argument is bogus, as people will have to review and adapt their code anyway as soon as register_globals is of, so why not get rid of all of the globals, why create a special case for the server ones? -- Hartmut Holzgraefe [EMAIL PROTECTED] http://www.six.de +49-711-99091-77 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #15108 Updated: Server variables to exist globally w/ register_globals = off
ID: 15108 Updated by: philip Reported By: [EMAIL PROTECTED] Old Status: Bogus Status: Feedback Bug Type: Feature/Change Request Operating System: n/a Old PHP Version: 4.1.1 PHP Version: 4.2.0 New Comment: After some searching, came across an important thread that my brain never saw. The proposal on the issue of register_globals and the big change: http://marc.theaimsgroup.com/?l=php-devm=99638397319055 Which includes some great information. Including import_globals(), which in short, my concern is solved by: import_globals('S'). This next thread (very long) is very related too, which existed before the above proposal: http://marc.theaimsgroup.com/?l=php-devm=99600275103594 It's all sounds good. But :) Throughout the history of the manual, it's been *implied* that predefined server variables are registered globally. This will obviously change (see #14472) but point is, this is a potential problem. Is this worth doing anything else about? Like, defaulting PHP with 'S' (or ES) for a release or two? Or, would that just add unneeded confusion. Previous Comments: [2002-01-18 16:52:14] [EMAIL PROTECTED] But most importantly, this will be useful. no it won't, same security consideration as with the other global registrations [2002-01-18 16:14:25] [EMAIL PROTECTED] In short, when register_globals = off, server variables would/should continue to register globally. Variables such as: $PHP_SELF, $DOCUMENT_ROOT, $REMOTE_ADDR, etc. As currently they do not. And on a sidenote, the current docs imply that server variables always exist, regardless of setting. Some possible options: a) Create a new config setting, such as register_server_globals or register_predefined_globals b) Make register_globals allow for individual EGPCS settings (default to S) c) Make server variables always exist, like track_vars do now. d) ... This will help ease the register_globals = off transition as well as cause a lot less 4.2.0 BROKE PHP!!! emails. But most importantly, this will be useful. Edit this bug report at http://bugs.php.net/?id=15108edit=1 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]