PHP :: Bug #24 :: PHO allowing the overwriting of environment variables

Bug #24	PHO allowing the overwriting of environment variables
Submitted:	1998-01-30 13:39 UTC	Modified:	1998-01-30 20:54 UTC
From:	alden at math dot ohio-state dot edu	Assigned:
Status:	Closed	Package:	Other
PHP Version:	3.0 Latest CVS	OS:	Solaris 2.6
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[1998-01-30 13:39 UTC] alden at math dot ohio-state dot edu

Hi,
  According to the php 2.0 doc's (I am using 3.0) PHP isn't
supposed to allow the overwriting of environment variables
by adding "?REMOTE_HOST=some.bogus.host".  I have the
following file "test.php3" in my doc root:

<html><head><title>test</title></head><body>
<?echo "remote_host=$REMOTE_HOST";?>
</body></html>

And then I pointed netscape at:

http://my.machine.edu/test.php3?REMOTE_HOST=some.bogus.host

And it returned:

remote_host=some.bogus.host

Am I missing something?

On a similar topic, I need to get at the REMOTE_USER environment
variable without the user being able to change this.  I use
the .htaccess method of authentication, but I need to know
the username of the remote user.  In my old perl scripts I
just checked REMOTE_USER, but PHP seems to allow the user
to overwrite this.

...thnx,
...dave alden

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[1998-01-30 20:54 UTC] zeev

Fixed.
Environment variables will now overwrite any GET/POST/Cookie
variable.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Mon Oct 02 08:01:24 2023 UTC