php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66851 $_SERVER holds unrelated client stuff
Submitted: 2014-03-07 23:25 UTC Modified: 2014-03-09 17:07 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: eldmannen+php at gmail dot com Assigned:
Status: Wont fix Package: Variables related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
35 + 5 = ?
Subscribe to this entry?

 
 [2014-03-07 23:25 UTC] eldmannen+php at gmail dot com
Description:
------------
http://websec.io/2012/08/11/Can%27t-Trust-the-$_SERVER.html

The superglobal $_SERVER contains unrelated stuff such as HTTP_USER_AGENT and HTTP_REFERER which are from the client and set by the client, not the server.

These ought to be stripped out and moved into a new superglobal called $_CLIENT.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-09 16:48 UTC] phpmpan at mpan dot pl
`$_SERVER` doesn't hold server-originated data. It holds served-possesed data about the execution environment. This is, among other things, information about the request currently being processed.
 [2014-03-09 16:55 UTC] rasmus@php.net
-Status: Open +Status: Wont fix
 [2014-03-09 17:02 UTC] eldmannen+php at gmail dot com
So GATEWAY_INTERFACE, SERVER_ADDR, SERVER_SOFTWARE, and SERVER_ADMIN aren't server-originated data?

While things like HTTP_USER_AGENT and HTTP_REFERER are from the client.

I see a distinction between these. Server and client.
Some of these can be trusted, others can not.
 [2014-03-09 17:07 UTC] rasmus@php.net
It is the web server that communicates with the client, not PHP. It sets a number of variables about the current executing request. It is not PHP's job to try to figure out if a piece of information set by the server originated from the server or the client. In fact we have no way to determine this. We can make some guesses, but then when another server comes along and sets something we haven't seen before we won't know where that came from. We simply put everything the server sets into the $_SERVER array. This is simple, consistent, future-proof and easy for everyone to understand. What you are suggesting would lead to chaos and bugs if we were to try to guess as to the origin of every piece of data provided to us by the server.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Oct 27 07:03:33 2021 UTC