php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24 PHO allowing the overwriting of environment variables
Submitted: 1998-01-30 13:39 UTC Modified: 1998-01-30 20:54 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: alden at math dot ohio-state dot edu Assigned:
Status: Closed Package: Other
PHP Version: 3.0 Latest CVS OS: Solaris 2.6
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alden at math dot ohio-state dot edu
New email:
PHP Version: OS:

 

 [1998-01-30 13:39 UTC] alden at math dot ohio-state dot edu
Hi,
  According to the php 2.0 doc's (I am using 3.0) PHP isn't
supposed to allow the overwriting of environment variables
by adding "?REMOTE_HOST=some.bogus.host".  I have the
following file "test.php3" in my doc root:

<html><head><title>test</title></head><body>
<?echo "remote_host=$REMOTE_HOST";?>
</body></html>

And then I pointed netscape at:

http://my.machine.edu/test.php3?REMOTE_HOST=some.bogus.host

And it returned:

remote_host=some.bogus.host

Am I missing something?

On a similar topic, I need to get at the REMOTE_USER environment
variable without the user being able to change this.  I use
the .htaccess method of authentication, but I need to know
the username of the remote user.  In my old perl scripts I
just checked REMOTE_USER, but PHP seems to allow the user
to overwrite this.

...thnx,
...dave alden

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1998-01-30 20:54 UTC] zeev
Fixed.
Environment variables will now overwrite any GET/POST/Cookie
variable.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 02 21:01:30 2024 UTC