[nycphp-talk] $_SERVER['PHP_SELF'} not working?
George Schlossnagle
george at omniti.com
Thu Jul 21 10:09:37 EDT 2005
On Jul 21, 2005, at 10:01 AM, Tim Gales wrote:
> csnyder wrote:
>
>> On 7/21/05, George Schlossnagle <george at omniti.com> wrote:
>>
>>
>>> On Jul 21, 2005, at 8:54 AM, csnyder wrote:
>>>
>>>
>>>
>>>> On 7/20/05, Daniel Convissor <danielc at analysisandsolutions.com>
>>>> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> More importantly, PHP_SELF can be tainted by users. Don't assume
>>>>> it's
>>>>> safe.
>>>>>
>>>>>
>>>>
>>>> Hmm. How does $_SERVER['PHP_SELF'] get tainted by users?
>>>>
>>>
>>> By appending parameters to the uri you're requesting, i.e.
>>> requesting
>>>
>>> http://example.com/?$BAD_STUFF_HERE
>>>
>>
>>
>> Not in PHP 5.0.4 -- PHP_SELF is only the relative filename of the
>> script called by the webserver, no query information is attached.
My example was flawed, but the same case still works. Apache allows
the use of '/' as an IFS, so you can do
http://www.example.com/index.php/$BAD_STUFF_HERE and it will appear
in full form in PHP_SELF.
Georg
More information about the talk
mailing list