php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #71686 parse_str() should have a warning about using it with untrusted data
Submitted: 2016-02-29 01:41 UTC Modified: 2017-01-28 13:29 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: aaronw at catalyst dot net dot nz Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 5.5.32 OS:
Private report: No CVE-ID: None
 [2016-02-29 01:41 UTC] aaronw at catalyst dot net dot nz
Description:
------------
The one-parameter version of parse_str() populates variables in the current scope, the same as register_globals or extract(). So like those, if it's used with user-supplied data then it is prone to bugs and security vulnerabilities where users can override global variables and other uninitialized variables.

But unlike register_globals and extract(), there is no warning on the parse_str() manual page about using it with untrusted/user-supplied data. Quite the opposite, there's a note telling you how to use it with $_SERVER['QUERY_STRING'].

So it would be better for new developers if there were a big pink "Warning" note on the page, much like the ones on the extract() page. It should advise users to instead use the two-parameter version, which extracts the values into an array instead of into variables.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-30 20:06 UTC] bshafs at gmail dot com
This is a good start. I would also love to have a way (in php.ini) to turn off the ability for this function to write variables in the current scope, as this behavior makes the function insecure.
 [2017-01-28 13:29 UTC] cmb@php.net
-Status: Open +Status: Closed -Package: Documentation problem +Package: Strings related -Assigned To: +Assigned To: cmb
 [2017-01-28 13:29 UTC] cmb@php.net
> So it would be better for new developers if there were a big
> pink "Warning" note on the page, […]

Fixed with <http://svn.php.net/viewvc?view=revision&revision=341059>.

> I would also love to have a way (in php.ini) to turn off the
> ability for this function to write variables in the current
> scope, […]

There is currently a vote in progress to deprecate and to later
remove parse_str() without second argument, see
<https://wiki.php.net/rfc/deprecations_php_7_2#parse_str_without_second_argument>.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 07:01:24 2019 UTC