php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66851 $_SERVER holds unrelated client stuff
Submitted: 2014-03-07 23:25 UTC Modified: 2014-03-09 17:07 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: eldmannen+php at gmail dot com Assigned:
Status: Wont fix Package: Variables related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2014-03-07 23:25 UTC] eldmannen+php at gmail dot com
Description:
------------
http://websec.io/2012/08/11/Can%27t-Trust-the-$_SERVER.html

The superglobal $_SERVER contains unrelated stuff such as HTTP_USER_AGENT and HTTP_REFERER which are from the client and set by the client, not the server.

These ought to be stripped out and moved into a new superglobal called $_CLIENT.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-09 16:48 UTC] phpmpan at mpan dot pl
`$_SERVER` doesn't hold server-originated data. It holds served-possesed data about the execution environment. This is, among other things, information about the request currently being processed.
 [2014-03-09 16:55 UTC] rasmus@php.net
-Status: Open +Status: Wont fix
 [2014-03-09 17:02 UTC] eldmannen+php at gmail dot com
So GATEWAY_INTERFACE, SERVER_ADDR, SERVER_SOFTWARE, and SERVER_ADMIN aren't server-originated data?

While things like HTTP_USER_AGENT and HTTP_REFERER are from the client.

I see a distinction between these. Server and client.
Some of these can be trusted, others can not.
 [2014-03-09 17:07 UTC] rasmus@php.net
It is the web server that communicates with the client, not PHP. It sets a number of variables about the current executing request. It is not PHP's job to try to figure out if a piece of information set by the server originated from the server or the client. In fact we have no way to determine this. We can make some guesses, but then when another server comes along and sets something we haven't seen before we won't know where that came from. We simply put everything the server sets into the $_SERVER array. This is simple, consistent, future-proof and easy for everyone to understand. What you are suggesting would lead to chaos and bugs if we were to try to guess as to the origin of every piece of data provided to us by the server.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 11 18:01:30 2024 UTC