PHP :: Request #38171 :: Validating $

Validating $_SERVER tampering

Submitted:

2006-07-21 01:20 UTC

Modified:

2013-02-17 12:03 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

ksharpe at kharysharpe dot com

Assigned:

Status:

Wont fix

Package:

*General Issues

PHP Version:

5.1.4

OS:

ALL

Private report:

CVE-ID:

None

[2006-07-21 01:20 UTC] ksharpe at kharysharpe dot com

Description:
------------
I would like to propose a solution that will allow to test whether $_SERVER (or similar ) predefined variables have been changed since PHP initialized them.

string predefinedVarHash(string predefinedVar)

PHP at runtime, after variables have been initialized/loaded, would store the serialized hash of the predefined variable that could be later retrieved by the above function.











Reproduce code:
---------------
e.g.

<?php

$md5Hash = predefinedVarHash("SERVER");

if ($md5Hash !== md5(serialize($_SERVER)))
   die('$_SERVER changed');
else
   echo '$_SERVER has not been changed';
?>

Expected result:
----------------
This would allow us to validate the information stored in the variable, while still allowing us to legitimately change the value of $_SERVER or other predefind variables.

Patches

Pull Requests

History

[2013-02-17 12:03 UTC] nikic@php.net

-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues

[2013-02-17 12:03 UTC] nikic@php.net

This doesn't seem particularly useful to me and if you need it then it's simple enough to implement in userland PHP: Just do a $backup = $_SERVER and compare to that later. Marking as Wfx.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun May 05 15:01:33 2024 UTC