php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #24 PHO allowing the overwriting of environment variables
Submitted: 1998-01-30 13:39 UTC Modified: 1998-01-30 20:54 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: alden at math dot ohio-state dot edu Assigned:
Status: Closed Package: Other
PHP Version: 3.0 Latest CVS OS: Solaris 2.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alden at math dot ohio-state dot edu
New email:
PHP Version: OS:

 

 [1998-01-30 13:39 UTC] alden at math dot ohio-state dot edu 
Hi,
  According to the php 2.0 doc's (I am using 3.0) PHP isn't
supposed to allow the overwriting of environment variables
by adding "?REMOTE_HOST=some.bogus.host".  I have the
following file "test.php3" in my doc root:

<html><head><title>test</title></head><body>
<?echo "remote_host=$REMOTE_HOST";?>
</body></html>

And then I pointed netscape at:

http://my.machine.edu/test.php3?REMOTE_HOST=some.bogus.host

And it returned:

remote_host=some.bogus.host

Am I missing something?

On a similar topic, I need to get at the REMOTE_USER environment
variable without the user being able to change this.  I use
the .htaccess method of authentication, but I need to know
the username of the remote user.  In my old perl scripts I
just checked REMOTE_USER, but PHP seems to allow the user
to overwrite this.

...thnx,
...dave alden

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1998-01-30 20:54 UTC] zeev 
Fixed.
Environment variables will now overwrite any GET/POST/Cookie
variable.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 18:01:28 2024 UTC