php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48379 Bogus value in variables leaked from POST or SESSION
Submitted: 2009-05-25 03:37 UTC Modified: 2009-05-25 12:43 UTC
From: anchoa at cardumen dot info Assigned:
Status: Not a bug Package: Variables related
PHP Version: 5.2.9 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: anchoa at cardumen dot info
New email:
PHP Version: OS:

 

 [2009-05-25 03:37 UTC] anchoa at cardumen dot info
Description:
------------
Variables that have the same name as an associative POST or SESSION 
variable are assigned their values, For example, if $_SESSION['v1'] == 
"abcd", $v1 is assigned "abcd" instead of being left undefined. 

Reproduce code:
---------------
See:

http://testing.cardumen.com/session-bug.php


Expected result:
----------------
The right behavior is for the four variables  v1, v2, v3, and v4 to 
remain undefined.

Actual result:
--------------
Enter some data in text fields v1, v2, v3, and v4

Variables $v1, $v2, $v3, and $v4 will be assigned the values leaked from 
$_SESSION['v1'], $_SESSION['v2'], $_SESSION['v3'], and $_SESSION['v4'], 

If you comment out session_start(); and or $_SESSION = $_POST; the 
values will be leaked from $_POST.





Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-25 08:05 UTC] jani@php.net
And register_globals is off..?
 [2009-05-25 12:13 UTC] anchoa at cardumen dot info
When the leak happens, register_globals is on

When I turn register_globals off, the leak does not happen.

register_globals is now "on" at the test site
 [2009-05-25 12:25 UTC] anchoa at cardumen dot info
The variable that is giving me troubles (in my real code, not the test 
code) was initialized to empty ($var = '') before calling 
session_start() and, supposedly an already initialized variable should 
not be injected with a new value.
 [2009-05-25 12:43 UTC] jani@php.net
That "leak" is expected when you have register_globals=On. And that's one reason register_globals will be gone in PHP 6.. :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 30 20:01:30 2024 UTC