|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48379 Bogus value in variables leaked from POST or SESSION
Submitted: 2009-05-25 03:37 UTC Modified: 2009-05-25 12:43 UTC
From: anchoa at cardumen dot info Assigned:
Status: Not a bug Package: Variables related
PHP Version: 5.2.9 OS: linux
Private report: No CVE-ID: None
 [2009-05-25 03:37 UTC] anchoa at cardumen dot info
Variables that have the same name as an associative POST or SESSION 
variable are assigned their values, For example, if $_SESSION['v1'] == 
"abcd", $v1 is assigned "abcd" instead of being left undefined. 

Reproduce code:

Expected result:
The right behavior is for the four variables  v1, v2, v3, and v4 to 
remain undefined.

Actual result:
Enter some data in text fields v1, v2, v3, and v4

Variables $v1, $v2, $v3, and $v4 will be assigned the values leaked from 
$_SESSION['v1'], $_SESSION['v2'], $_SESSION['v3'], and $_SESSION['v4'], 

If you comment out session_start(); and or $_SESSION = $_POST; the 
values will be leaked from $_POST.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-25 08:05 UTC]
And register_globals is off..?
 [2009-05-25 12:13 UTC] anchoa at cardumen dot info
When the leak happens, register_globals is on

When I turn register_globals off, the leak does not happen.

register_globals is now "on" at the test site
 [2009-05-25 12:25 UTC] anchoa at cardumen dot info
The variable that is giving me troubles (in my real code, not the test 
code) was initialized to empty ($var = '') before calling 
session_start() and, supposedly an already initialized variable should 
not be injected with a new value.
 [2009-05-25 12:43 UTC]
That "leak" is expected when you have register_globals=On. And that's one reason register_globals will be gone in PHP 6.. :)
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 20:01:32 2024 UTC