PHP :: Bug #27432 :: superglobals overwriting security issue

Bug #27432	superglobals overwriting security issue
Submitted:	2004-02-28 20:12 UTC	Modified:	2004-02-29 03:23 UTC
From:	nobodx at fr dot fm	Assigned:
Status:	Not a bug	Package:	Variables related
PHP Version:	4.3.4	OS:	win2k
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	nobodx at fr dot fm
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-02-28 20:12 UTC] nobodx at fr dot fm

Description:
------------
When register_globals=Off, people (who have no other choice) would like to use the function import_request_variables().

But this function CAN overwrite the superglobals variables like $_SERVER... and so users can define variables supposed to be "protected".

Reproduce code:
---------------
<?
import_request_variables("g");
echo $_SERVER["REMOTE_ADDR"];
?>

File must be called with ?_SERVER[REMOTE_ADDR]=123

Expected result:
----------------
Expected to see my IP, not "123".

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-02-29 03:23 UTC] derick@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

,

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Dec 04 13:00:01 2025 UTC