php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21015 phpweb isn't register_globals safe
Submitted: 2002-12-14 12:31 UTC Modified: 2007-01-02 15:57 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: toni dot viemero at iki dot fi Assigned: goba (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: toni dot viemero at iki dot fi
New email:
PHP Version: OS:

 

 [2002-12-14 12:31 UTC] toni dot viemero at iki dot fi
At least on the following documents giver errors running phpweb register_globals off:
include/site.inc
downloads.php
error/index.php

$REMOTE_HOST, $DOCUMENT_ROOT, $SERVER_NAME etc. should be replaced with $_SERVER["..."] etc.
Or change mirroring.php to indicate this for future mirrors ("php_value register_globals on" in virtualhost config).

Surfing phpweb with error_reporting(E_ALL) errors too like this one: Use of undefined constant NO_BASE - assumed 'NO_BASE' in search.php on line 15.

IMHO PHP.net website should represent itself as somehow working example of "error-free" (as in site works perfectly without needing to go backwards compatible from present php.ini default values) php coding :)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-12-14 12:43 UTC] goba@php.net
You are somewhat right. But as you see search.php for example, it is not ideal to replace all uses of $pattern with $_REQUEST['pattern']. It is more ideal to first assign the $pattern variable the value of $_REQUEST['pattern'].

I am on updating the pages, and this will probably be done on a page per page bases. Today's focus was a rewrite of the search page, which is now more logical. This rewrite also helped to start some other things, like the new code in prepend.inc to make those shorthand arrays accessible even on mirror sites with PHP version < 4.1.0.

The setting you request to include on mirroring.php is of course there since some time now, but regardless of that I am at least a bit motivated to make the php.net scripts nice and register_globals = off friendly, but it's not a quick process to do that...

BTW I have fixed the undefined constant problem on search.php it was just there today in my new code...

=> intentionally leaving this bug open, so we won't forget about it ;)
 [2002-12-14 13:40 UTC] goba@php.net
I have added two functions to prepend.inc to support register_globals = off setups. Those can / will be used to enhance scripts in phpweb...
 [2003-01-02 15:28 UTC] goba@php.net
I am on this. But it is a slow process...
 [2003-08-09 12:10 UTC] goba@php.net
I was working on this staff the last days, and I am getting confident that there are very few pages left (if any) which depend on register_globals. It would be nice if you would be able to check and report on it ;)
 [2003-08-11 05:01 UTC] toni dot viemero at iki dot fi
I removed register_globals from Apache config and everything seemed to work ok.
Closing bug.
 [2003-08-16 07:48 UTC] goba@php.net
I have fixed the search page and cal.php to not depend on register_globals, but there may still be very few places where register globals is used. I don't know of any currently though.
 [2006-02-20 23:37 UTC] ludvig dot ericson at gmail dot com
Oh the irony of saying "register_globals is almost gone" when the page your posting stuff on is acctually using register_globals :)
 [2007-01-02 15:57 UTC] bjori@php.net
This bug has been fixed in CVS. Since the websites are not directly
updated from the CVS server, the fix might need some time to spread
across the globe to all mirror sites, including PHP.net itself.

Thank you for the report, and for helping us make PHP.net better.

Removed register_globals from our mirroring guidelines as 
it isn't needed anymore (and hasn't for a while now).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 02:01:29 2024 UTC