PHP :: Bug #6660 :: PHP magic variables can be overridden by GPC variables

Bug #6660	PHP magic variables can be overridden by GPC variables
Submitted:	2000-09-11 20:12 UTC	Modified:	2000-09-12 00:26 UTC
From:	jon+php-dev at unequivocal dot co dot uk	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	4.0 Latest CVS (11/09/2000)	OS:	N/A
Private report:	No	CVE-ID:	None

View Developer Edit

[2000-09-11 20:12 UTC] jon+php-dev at unequivocal dot co dot uk

This is a potential security issue.

If register_globals is on, then PHP magic variables (HTTP_GET_VARS, HTTP_POST_VARS, etc) can be faked by remote web users. This is particularly important in the case of HTTP_ENV_VARS and HTTP_POST_FILES, which the script author may expect to come from a local source.

e.g.

http://www.example.com/example.php?HTTP_POST_FILES[file]=/etc/passwd

All the variables in http://www.php.net/manual/language.variables.predefined.php should be protected from being set by GPC variables, presumably in php_register_variables_ex. (Some variables cannot be overridden because they are set later to the correct values, but this is not good to rely on.)

(Yes, I know you have added 'is_uploaded_files'. I think this should be fixed anyway.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-09-11 21:29 UTC] jon+php-dev at unequivocal dot co dot uk

Hmm, actually, 4.0.3RC1 seems to improve this. I am not sure what has changed though, so I can't check for sure.

[2000-09-12 00:26 UTC] rasmus@php.net

Fixed for 4.0.3

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jun 01 18:01:26 2025 UTC