php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #24732 cannot read array elements recived via $_REQUEST
Submitted: 2003-07-20 17:25 UTC Modified: 2011-01-01 20:59 UTC
Votes:4
Avg. Score:2.5 ± 1.5
Reproduced:2 of 4 (50.0%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: nightcat at poczta dot onet dot pl Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 5.0.0b1 (beta1) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nightcat at poczta dot onet dot pl
New email:
PHP Version: OS:

 

 [2003-07-20 17:25 UTC] nightcat at poczta dot onet dot pl
Description:
------------
Basicly, everyone who creates CMS at some point want to add modules, or any other type of space for additional code.
But also we want this code to be signed as "untrusted", because we _are_ afraid about this code (we don't know).

It would be really great to be able to lock some things for include code. I don't have any clear vision of this, but i'll try to paste example of my intention.

Reproduce code:
---------------
lock_variables($db->password, $accountPassword);
block_functions(mail, fopen, file);
include_once('module.inc');
unblock_functions(mail, fopen, file);
unlock_variables($db->password, $accountPassword);

Expected result:
----------------
It's only idea.
I'd expect that from inside of this include (and any recursive) there want be any possiblity to use those functions and modify those variables.

Secondly it would be really _great_, if if functions called from inside of include could use everything normally. For eg. there won't be any way to modify DB password (which is property of object $db) but calling $db->connect would work normally (if it's not blocked by block_functions() ).

Actual result:
--------------
There is really no way in PHP4 to prevent some untrusted parts from do what they want with whole CMS. In PHP5 i can do it but in very tricky and dirty way.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-09 15:10 UTC] dpenning at s0nix dot de
you can scan the file using the tokenizer and decide yourself if it is secure
 [2003-08-11 09:05 UTC] nightcat at poczta dot onet dot pl
It's not a solution. As i said, there is no secure way to do it being on a same level as "controled" script. And what if unsecure function will be hidden inside a string (ROTted or other way mixed) and evaled?

I really belive that a way to make some areas "unsecure" from inside a PHP core would be much better.
 [2003-08-13 15:56 UTC] nightcat at poczta dot onet dot pl
One more advantage of this would be situation like when i'm creating CMS and i want to be sure that in whole application mysql connection will be handled by my objects, not by mysql_* functions. Now, i have no way to do this.
 [2011-01-01 20:59 UTC] jani@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2011-01-01 20:59 UTC] jani@php.net
This is not the way to handle such issues.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 10:01:26 2024 UTC