php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14425 extract() can overwrite $GLOBALS within a function context
Submitted: 2001-12-11 08:55 UTC Modified: 2001-12-12 10:54 UTC
From: philhassey at hotmail dot com Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.0.6 OS: Linux (Mandrake 8.1)
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: philhassey at hotmail dot com
New email:
PHP Version: OS:

 

 [2001-12-11 08:55 UTC] philhassey at hotmail dot com
//I did this:
function test()
{ 
$a=array("GLOBALS"=>"nothing");
extract($a);
var_dump($GLOBALS);
}
test();
// The script will overwrite the $GLOBALS variable
// I did not want it to overwrite the $GLOBALS variable

// Then in the global scope, I did this:$a=array("GLOBALS"=>"nothing");
extract($a);
var_dump($GLOBALS);
//The script did not overwrite the $GLOBALS variable.
// It did what I wanted it to do.

By allowing the extract function to overwrite global variables within a function can lead to serious security holes.  Particularily if URL parameters are passed into a function that extracts them.  (And then if my function still expects GLOBALS to be legit, it could be passed false information.)

I suggest making extract unable to overwrite any global variables within a function.  ($GLOBALS, and any variables declared global $x, etc..) As a second measure it might be good to make extract more conservative in general by defaulting to EXTR_SKIP instead of EXTR_OVERWRITE

I can, of course, fix my own code for the time being to avoid this problem by using extract($params,EXTR_SKIP); However I think fixing the problem for PHP as a whole would help others as well.

Thank you.  Keep up the excellent work!
Phil

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-11 09:22 UTC] philhassey at hotmail dot com
Similarily, this bug is also found in class methods.

class a
{ 
function test()
{
$a=array("this"=>"nothing","GLOBALS"=>"nothing");
extract($a);
var_dump($this);
var_dump($GLOBALS);
}
}
$a=new a();
$a->test();

// Both this and GLOBALS are overwritten by extract.
// I would have hoped that would not have happened.


 [2001-12-12 10:54 UTC] sniper@php.net
RTFM:

http://www.php.net/manual/en/function.extract.php

"If extract_type is not specified, it is assumed to be EXTR_OVERWRITE. "

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 09 16:01:29 2024 UTC