Bugtraq mailing list archives
Re: Security problems with TWIG webmail system
From: Rasmus Lerdorf <rasmus () LINUXCARE COM>
Date: Fri, 1 Dec 2000 10:55:01 -0800
I would suggest the ability to override the PHP defined arrays in the way you're describing only exists in version 3 of PHP since PHP 4 adds the configuration directive variables_order which allows the order in which variables are defined to be set, by default PHP defined variables are set LAST in the configuration file examples that ship with PHP 4.
You cannot override the HTTP_*_VARS arrays in PHP 4. And, to be correct here, PHP 3 also has the option to turn this off and to define the ordering just like PHP 4. The gpc_order php3.ini directive can be used to do this. If you set it to an empty string no variables will be imported into the global symbol table. This is however likely to break many existing applications so my advice is definitely to upgrade to PHP 4 and use the more flexible mechanisms offered there. -Rasmus
Current thread:
- Re: Security problems with TWIG webmail system Glover, Mike (Dec 01)
- <Possible follow-ups>
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 01)
- Re: Security problems with TWIG webmail system João Gouveia (Dec 01)
- Re: Security problems with TWIG webmail system Shaun Clowes (Dec 02)
- Re: Security problems with TWIG webmail system Rasmus Lerdorf (Dec 02)