PHP :: Bug #27432 :: superglobals overwriting security issue

Bug #27432	superglobals overwriting security issue
Submitted:	2004-02-28 20:12 UTC	Modified:	2004-02-29 03:23 UTC
From:	nobodx at fr dot fm	Assigned:
Status:	Not a bug	Package:	Variables related
PHP Version:	4.3.4	OS:	win2k
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nobodx at fr dot fm
New email:
PHP Version:		OS:

New Comment:

[2004-02-28 20:12 UTC] nobodx at fr dot fm

Description:
------------
When register_globals=Off, people (who have no other choice) would like to use the function import_request_variables().

But this function CAN overwrite the superglobals variables like $_SERVER... and so users can define variables supposed to be "protected".

Reproduce code:
---------------
<?
import_request_variables("g");
echo $_SERVER["REMOTE_ADDR"];
?>

File must be called with ?_SERVER[REMOTE_ADDR]=123

Expected result:
----------------
Expected to see my IP, not "123".

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-02-29 03:23 UTC] derick@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

,

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 17:01:28 2025 UTC