PHP :: Doc Bug #71686 :: parse_str() should have a warning about using it with untrusted data

parse_str() should have a warning about using it with untrusted data

Submitted:

2016-02-29 01:41 UTC

Modified:

2017-01-28 13:29 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

aaronw at catalyst dot net dot nz

Assigned:

cmb (profile)

Status:

Closed

Package:

Strings related

PHP Version:

5.5.32

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	aaronw at catalyst dot net dot nz
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-02-29 01:41 UTC] aaronw at catalyst dot net dot nz

Description:
------------
The one-parameter version of parse_str() populates variables in the current scope, the same as register_globals or extract(). So like those, if it's used with user-supplied data then it is prone to bugs and security vulnerabilities where users can override global variables and other uninitialized variables.

But unlike register_globals and extract(), there is no warning on the parse_str() manual page about using it with untrusted/user-supplied data. Quite the opposite, there's a note telling you how to use it with $_SERVER['QUERY_STRING'].

So it would be better for new developers if there were a big pink "Warning" note on the page, much like the ones on the extract() page. It should advise users to instead use the two-parameter version, which extracts the values into an array instead of into variables.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-30 20:06 UTC] bshafs at gmail dot com

This is a good start. I would also love to have a way (in php.ini) to turn off the ability for this function to write variables in the current scope, as this behavior makes the function insecure.

[2017-01-28 13:29 UTC] cmb@php.net

-Status: Open +Status: Closed -Package: Documentation problem +Package: Strings related -Assigned To: +Assigned To: cmb

[2017-01-28 13:29 UTC] cmb@php.net

> So it would be better for new developers if there were a big
> pink "Warning" note on the page, […]

Fixed with <http://svn.php.net/viewvc?view=revision&revision=341059>.

> I would also love to have a way (in php.ini) to turn off the
> ability for this function to write variables in the current
> scope, […]

There is currently a vote in progress to deprecate and to later
remove parse_str() without second argument, see
<https://wiki.php.net/rfc/deprecations_php_7_2#parse_str_without_second_argument>.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 17:01:28 2024 UTC