php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62943 ?& in header causes parameter problem
Submitted: 2012-08-27 06:29 UTC Modified: 2012-08-28 04:43 UTC
From: esko dot saajanto at code4m dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.3.3-7+squeeze8 OS: Debian
Private report: No CVE-ID: None
View Developer Edit
 [2012-08-27 06:29 UTC] esko dot saajanto at code4m dot com 
Description:
------------
PHP 5.3.3-7+squeeze8 with Suhosin-Patch (cli) (built: Feb 10 2012 13:05:56)

I found out by a typo I've made that ?& in the header causes parameters used in the previus php pages to be submitted via POST and GET. This may be problem that should be fixed to prevent unwanted behavior in the systems built. Caused me a lot of effort to find out this!

Regards
Esko Saajanto
Code4m Oy

Test script:
---------------
example: www.somesite.com?&parameter1&parameter2&parameter3....

So if I've used f.ex. parameter99 in some previous pages it comes along with this example as an variable to the page even when the is no $_GET or $_POST in the php script called by the header.

So I can refer to a $valiable99 that has a value inherited somewhere from the previous pages because the ?& in the header.

Expected result:
----------------
?& in header digs out some parameters used in previus page calls and makes them variables with values in page that it shouldn't

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-27 06:41 UTC] aharvey@php.net 
Please note that we don't generally accept bug reports involving Suhosin or distribution patched versions of PHP.

My guess is that you're hitting the suhosin.get.max_vars limit because the initial & is registering another empty GET variable. Does increasing that fix the issue?
 [2012-08-27 06:41 UTC] aharvey@php.net
-Status: Open +Status: Feedback -PHP Version: Irrelevant +PHP Version: 5.3.3-7+squeeze8
 [2012-08-27 07:07 UTC] esko dot saajanto at code4m dot com 
Hi.
I'm not sure if I could make my case understandable. So the problem is not that I miss some parameter(s) in header but rather so that I get variables without $_GET and $_POST that I shouldn't get according the header sent. This is OK because the register globals is on - BUT -

If the first character in the header after '?' is '&' so it brings me all the variables used in the previus pages even if I'd have only two parameters in my header. That shouldn't be the case?
 [2012-08-27 07:07 UTC] esko dot saajanto at code4m dot com
-Status: Feedback +Status: Open
 [2012-08-27 07:32 UTC] aharvey@php.net 
Ah, I see. That does sound very weird.

I can't reproduce your described effects on PHP 5.4.6. I think we'll need a self-contained reproduction case that works on a stock 5.3.16 or 5.4.6 to have any hope here.
 [2012-08-27 07:32 UTC] aharvey@php.net
-Status: Open +Status: Feedback
 [2012-08-27 07:36 UTC] rasmus@php.net 
Looking at the code I don't see how that is in any way possible. You are sure 
this isn't some session-related thing? Can you reproduce it with a simple script?
How about if you disable Suhosin, does it still happen?
 [2012-08-27 07:53 UTC] esko dot saajanto at code4m dot com
-Status: Feedback +Status: Open
 [2012-08-27 07:53 UTC] esko dot saajanto at code4m dot com 
Tested without suhosin with same results.
http://192.168.1.29/resultcode.fi/sarjat/rcea/rcea_tuomaritoiminta_sarjakausi_palkkiot.php?&piiri_id=100013 is the header and system is working fine exept I do get variables available that are not defined in this module or it's includes. 

This is confirmed by two other programmers who took a carefull look of the code. F.ex. I have a variable $sarjakausi_id that is used in perevious pages and it comes available to this page even when 'piiri_id' is the only variable passed. So somehow this is related to the ampersand mark after the first question mark in parameter list. When '&' is left out the 'sarjakausi_id' variable is no longer available.
 [2012-08-27 14:44 UTC] anon at anon dot anon 
@esko: We can't access that page because it's a private IP. Can you cause this bug with a simple test script like this:

<?php
header('Content-Type: text/plain');
print_r($GLOBALS);
?>

If not, simplify the buggy code until the bug disappears. Then you'll know what's triggering it.
 [2012-08-28 04:36 UTC] esko dot saajanto at code4m dot com 
Hi
Sorry for my mistake! Almost 10 years with php and and still there are days when even the most simpliest piece of code can be misinterpeted (by 3 people)in way that causes a false bug report like this. Thank you for the exellent product.
 [2012-08-28 04:36 UTC] esko dot saajanto at code4m dot com
-Status: Open +Status: Closed
 [2012-08-28 04:43 UTC] rasmus@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 05 04:01:35 2025 UTC