|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2001-12-11 08:55 UTC] philhassey at hotmail dot com
//I did this:
function test()
{
$a=array("GLOBALS"=>"nothing");
extract($a);
var_dump($GLOBALS);
}
test();
// The script will overwrite the $GLOBALS variable
// I did not want it to overwrite the $GLOBALS variable
// Then in the global scope, I did this:$a=array("GLOBALS"=>"nothing");
extract($a);
var_dump($GLOBALS);
//The script did not overwrite the $GLOBALS variable.
// It did what I wanted it to do.
By allowing the extract function to overwrite global variables within a function can lead to serious security holes. Particularily if URL parameters are passed into a function that extracts them. (And then if my function still expects GLOBALS to be legit, it could be passed false information.)
I suggest making extract unable to overwrite any global variables within a function. ($GLOBALS, and any variables declared global $x, etc..) As a second measure it might be good to make extract more conservative in general by defaulting to EXTR_SKIP instead of EXTR_OVERWRITE
I can, of course, fix my own code for the time being to avoid this problem by using extract($params,EXTR_SKIP); However I think fixing the problem for PHP as a whole would help others as well.
Thank you. Keep up the excellent work!
Phil
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 16:00:01 2025 UTC |
Similarily, this bug is also found in class methods. class a { function test() { $a=array("this"=>"nothing","GLOBALS"=>"nothing"); extract($a); var_dump($this); var_dump($GLOBALS); } } $a=new a(); $a->test(); // Both this and GLOBALS are overwritten by extract. // I would have hoped that would not have happened.