|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #864 Query string overrides apache envars
Submitted: 1998-10-21 14:18 UTC Modified: 1998-10-21 14:31 UTC
From: explorer at flame dot org Assigned:
Status: Closed Package: Other
PHP Version: 3.0 Latest CVS (21/10/1998) OS: NetBSD/i386-1.3.2+
Private report: No CVE-ID: None
 [1998-10-21 14:18 UTC] explorer at flame dot org
When using Basic auth, Apache sets envar(REMOTE_USER) to the name
authenticated to.  However, using a query like
will cause the initial value of $REMOTE_USER to be changed to foo in
the php script.

It seems to me that Apache vars should be read-only.  That is, read only while in the query string parsing code.  I should be able to set these in php scripts, if I wanted to, but I shouldn't be able to override ($HOME for instance) these.

Your documentation says that envars become php3 vars.  Mention that these can be trivially overwritten should at the least be mentioned there, if this (imho) bug isn't fixed.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [1998-10-21 14:31 UTC] rasmus
Not really a bug.  One of the wishlist items for 3.1 is to include env vars in the gpc_order mechanism.  For now, the obvious workaround is to do a $REMOTE_USER = getenv("REMOTE_USER"); to make sure you get the correct version.  Or, alternatively turn off PHP's automatic variable creation by setting gpc_order to an empty string.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Oct 02 10:05:51 2022 UTC