php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #6660 PHP magic variables can be overridden by GPC variables
Submitted: 2000-09-11 20:12 UTC Modified: 2000-09-12 00:26 UTC
From: jon+php-dev at unequivocal dot co dot uk Assigned:
Status: Closed Package: *General Issues
PHP Version: 4.0 Latest CVS (11/09/2000) OS: N/A
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jon+php-dev at unequivocal dot co dot uk
New email:
PHP Version: OS:

 

 [2000-09-11 20:12 UTC] jon+php-dev at unequivocal dot co dot uk 
This is a potential security issue.

If register_globals is on, then PHP magic variables (HTTP_GET_VARS, HTTP_POST_VARS, etc) can be faked by remote web users. This is particularly important in the case of HTTP_ENV_VARS and HTTP_POST_FILES, which the script author may expect to come from a local source.

e.g.

http://www.example.com/example.php?HTTP_POST_FILES[file]=/etc/passwd

All the variables in http://www.php.net/manual/language.variables.predefined.php should be protected from being set by GPC variables, presumably in php_register_variables_ex. (Some variables cannot be overridden because they are set later to the correct values, but this is not good to rely on.)

(Yes, I know you have added 'is_uploaded_files'. I think this should be fixed anyway.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-09-11 21:29 UTC] jon+php-dev at unequivocal dot co dot uk 
Hmm, actually, 4.0.3RC1 seems to improve this. I am not sure what has changed though, so I can't check for sure.
 [2000-09-12 00:26 UTC] rasmus@php.net 
Fixed for 4.0.3
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jun 03 08:01:25 2025 UTC