PHP :: Doc Bug #71686 :: parse_str() should have a warning about using it with untrusted data

parse_str() should have a warning about using it with untrusted data

Submitted:

2016-02-29 01:41 UTC

Modified:

2017-01-28 13:29 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

aaronw at catalyst dot net dot nz

Assigned:

cmb (profile)

Status:

Closed

Package:

Strings related

PHP Version:

5.5.32

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	aaronw at catalyst dot net dot nz
New email:
PHP Version:		OS:

New Comment:

[2016-02-29 01:41 UTC] aaronw at catalyst dot net dot nz

Description:
------------
The one-parameter version of parse_str() populates variables in the current scope, the same as register_globals or extract(). So like those, if it's used with user-supplied data then it is prone to bugs and security vulnerabilities where users can override global variables and other uninitialized variables.

But unlike register_globals and extract(), there is no warning on the parse_str() manual page about using it with untrusted/user-supplied data. Quite the opposite, there's a note telling you how to use it with $_SERVER['QUERY_STRING'].

So it would be better for new developers if there were a big pink "Warning" note on the page, much like the ones on the extract() page. It should advise users to instead use the two-parameter version, which extracts the values into an array instead of into variables.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-30 20:06 UTC] bshafs at gmail dot com

This is a good start. I would also love to have a way (in php.ini) to turn off the ability for this function to write variables in the current scope, as this behavior makes the function insecure.

[2017-01-28 13:29 UTC] cmb@php.net

-Status: Open +Status: Closed -Package: Documentation problem +Package: Strings related -Assigned To: +Assigned To: cmb

[2017-01-28 13:29 UTC] cmb@php.net

> So it would be better for new developers if there were a big
> pink "Warning" note on the page, […]

Fixed with <http://svn.php.net/viewvc?view=revision&revision=341059>.

> I would also love to have a way (in php.ini) to turn off the
> ability for this function to write variables in the current
> scope, […]

There is currently a vote in progress to deprecate and to later
remove parse_str() without second argument, see
<https://wiki.php.net/rfc/deprecations_php_7_2#parse_str_without_second_argument>.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC