[17885] in bugtraq
Re: Security problems with TWIG webmail system
daemon@ATHENA.MIT.EDU (Rasmus Lerdorf)
Fri Dec 1 16:35:17 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0012011049470.835-100000@localhost.localdomain>
Date: Fri, 1 Dec 2000 10:55:01 -0800
Reply-To: Rasmus Lerdorf <rasmus@LINUXCARE.COM>
From: Rasmus Lerdorf <rasmus@LINUXCARE.COM>
X-To: Shaun Clowes <shaun@SECUREREALITY.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3a2738aa.db.0@webcentral.com.au>
> I would suggest the ability to override the PHP defined arrays in the way you're
> describing only exists in version 3 of PHP since PHP 4 adds the configuration
> directive variables_order which allows the order in which variables are defined
> to be set, by default PHP defined variables are set LAST in the configuration
> file examples that ship with PHP 4.
You cannot override the HTTP_*_VARS arrays in PHP 4. And, to be correct
here, PHP 3 also has the option to turn this off and to define the
ordering just like PHP 4. The gpc_order php3.ini directive can be used to
do this. If you set it to an empty string no variables will be imported
into the global symbol table.
This is however likely to break many existing applications so my advice is
definitely to upgrade to PHP 4 and use the more flexible mechanisms
offered there.
-Rasmus
