|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[1998-10-21 14:18 UTC] explorer at flame dot org
When using Basic auth, Apache sets envar(REMOTE_USER) to the name authenticated to. However, using a query like http://foo.com/path/?REMOTE_USER=foo will cause the initial value of $REMOTE_USER to be changed to foo in the php script. It seems to me that Apache vars should be read-only. That is, read only while in the query string parsing code. I should be able to set these in php scripts, if I wanted to, but I shouldn't be able to override ($HOME for instance) these. Your documentation says that envars become php3 vars. Mention that these can be trivially overwritten should at the least be mentioned there, if this (imho) bug isn't fixed. --Michael PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat May 11 00:01:31 2024 UTC |
Not really a bug. One of the wishlist items for 3.1 is to include env vars in the gpc_order mechanism. For now, the obvious workaround is to do a $REMOTE_USER = getenv("REMOTE_USER"); to make sure you get the correct version. Or, alternatively turn off PHP's automatic variable creation by setting gpc_order to an empty string.