PHP :: Bug #21149 :: array assignment and HTTP_*

Bug #21149

array assignment and HTTP_*_VARS

Submitted:

2002-12-22 17:04 UTC

Modified:

2002-12-29 15:02 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

tharbad at kaotik dot org

Assigned:

iliaa (profile)

Status:

Closed

Package:

Variables related

PHP Version:

4.3.0-dev/4.4.0-dev

OS:

All

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	tharbad at kaotik dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-12-22 17:04 UTC] tharbad at kaotik dot org

While doing a security audit on a PHP web app, I was able to bypass a variable check wich later allowed me to remotely execute commands on the web server. Although this was a programming error, I found it very odd the behaviour from PHP.
Consider the following code as an example:

<?
if ( isset($HTTP_GET_VARS['test']) ||
        isset($HTTP_POST_VARS['test']) ||
        isset($HTTP_COOKIE_VARS['test']) ) {
                echo "not allowed\r\n";
                exit;
}
else echo "test not defined, proceed\r\n";

echo "<pre>";
echo "test HTTP_GET_VARS: ".$HTTP_GET_VARS['test'];
echo "\r\n";
echo "var test: $test\r\n";
echo "\r\n";
?>

Having this, and requesting the page as:
ola.php?test[=

The output will be:

test not defined in HTTP_*_VARS
test HTTP_GET_VARS: 
var test: Array

So, 'test' is an array, but appears as no set in HTTP_*_VARS.

Regards,

Joao Gouveia
------------
tharbad@kaotik.org

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-12-23 18:50 UTC] iliaa@php.net

Updated description.

[2002-12-29 15:02 UTC] iliaa@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 23:00:01 2025 UTC