Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26212 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11693 invoked by uid 1010); 23 Oct 2006 23:27:00 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 11676 invoked from network); 23 Oct 2006 23:27:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2006 23:27:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4) Received: from [204.11.219.139] ([204.11.219.139:49877] helo=lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 80/BB-39788-3CF4D354 for ; Mon, 23 Oct 2006 19:27:00 -0400 Received: from [192.168.200.104] (c-67-169-43-97.hsd1.ca.comcast.net [67.169.43.97]) (authenticated bits=0) by lerdorf.com (8.13.8/8.13.8/Debian-2) with ESMTP id k9NNQuBY000863; Mon, 23 Oct 2006 16:26:56 -0700 Message-ID: <453D4FC1.5010104@lerdorf.com> Date: Mon, 23 Oct 2006 16:26:57 -0700 User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Peter Brodersen CC: PHP internals References: <453C81F8.7080606@hardened-php.net> <453CFE17.5020809@lerdorf.com> <9hiqj2dupeap8a98pfisf637joqhobd8jq@4ax.com> In-Reply-To: <9hiqj2dupeap8a98pfisf637joqhobd8jq@4ax.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP 5.2.0 release with "broken" input filters From: rasmus@lerdorf.com (Rasmus Lerdorf) Peter Brodersen wrote: > On Mon, 23 Oct 2006 10:38:31 -0700, in php.internals > rasmus@lerdorf.com (Rasmus Lerdorf) wrote: > >> I had left out SERVER filtering in the initial version for much the same >> reasoning, but it turns out that a good chunk of holes were due to the >> fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying to >> teach people which SERVER vars are safe and which aren't isn't a fun >> task and the whole point of the filter extension is to take away the >> guessing game. > > More well-known, the same goes for the HTTP headers populated in > _SERVER as well, even though some might be less obvious than other. > > HTTP_HOST could be tainted as well in some cases where a DNS entry and > ServerAlias of *.example.com exists. Actually, by using the Flash hack, you don't need wildcard DNS to exploit that one. As anybody who has seen my ranting lately can attest to, name-based virtual hosting is completely broken until we get everyone onto Flash9. -Rasmus