php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #864 Query string overrides apache envars
Submitted: 1998-10-21 14:18 UTC Modified: 1998-10-21 14:31 UTC
From: explorer at flame dot org Assigned:
Status: Closed Package: Other
PHP Version: 3.0 Latest CVS (21/10/1998) OS: NetBSD/i386-1.3.2+
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: explorer at flame dot org
New email:
PHP Version: OS:

 

 [1998-10-21 14:18 UTC] explorer at flame dot org 
When using Basic auth, Apache sets envar(REMOTE_USER) to the name
authenticated to.  However, using a query like
	http://foo.com/path/?REMOTE_USER=foo
will cause the initial value of $REMOTE_USER to be changed to foo in
the php script.

It seems to me that Apache vars should be read-only.  That is, read only while in the query string parsing code.  I should be able to set these in php scripts, if I wanted to, but I shouldn't be able to override ($HOME for instance) these.

Your documentation says that envars become php3 vars.  Mention that these can be trivially overwritten should at the least be mentioned there, if this (imho) bug isn't fixed.

--Michael

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1998-10-21 14:31 UTC] rasmus 
Not really a bug.  One of the wishlist items for 3.1 is to include env vars in the gpc_order mechanism.  For now, the obvious workaround is to do a $REMOTE_USER = getenv("REMOTE_USER"); to make sure you get the correct version.  Or, alternatively turn off PHP's automatic variable creation by setting gpc_order to an empty string.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 30 03:00:01 2025 UTC