Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:43002 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1369 invoked from network); 11 Feb 2009 18:12:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Feb 2009 18:12:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=chris_se@gmx.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=chris_se@gmx.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.net designates 213.165.64.20 as permitted sender) X-PHP-List-Original-Sender: chris_se@gmx.net X-Host-Fingerprint: 213.165.64.20 mail.gmx.net Received: from [213.165.64.20] ([213.165.64.20:48952] helo=mail.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BB/F0-12172-62513994 for ; Wed, 11 Feb 2009 13:12:55 -0500 Received: (qmail invoked by alias); 11 Feb 2009 18:12:50 -0000 Received: from p54A1672A.dip.t-dialin.net (EHLO chris-se.dyndns.org) [84.161.103.42] by mail.gmx.net (mp068) with SMTP; 11 Feb 2009 19:12:50 +0100 X-Authenticated: #186999 X-Provags-ID: V01U2FsdGVkX18hqc1l6RAhARKpDj5pxJ5nys+CBCtRAwCqaY3DXq vyzR9VXmDpGDxE Received: from [192.168.0.175] (HSI-KBW-082-212-059-033.hsi.kabelbw.de [82.212.59.33]) by chris-se.dyndns.org (Postfix) with ESMTP id 88E9B32AE for ; Wed, 11 Feb 2009 19:02:19 +0100 (CET) Message-ID: <4993154D.4050605@gmx.net> Date: Wed, 11 Feb 2009 19:13:33 +0100 User-Agent: Thunderbird 2.0.0.19 (X11/20081209) MIME-Version: 1.0 To: PHP Internals List References: <20090211161147.GA13632@panix.com> In-Reply-To: <20090211161147.GA13632@panix.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.61 Subject: Re: [PHP-DEV] RFC for new INI's From: chris_se@gmx.net (Christian Seiler) Hi, > variables_order: They should be the same on dev and prod. > > request_order: Seems like it should be the same. Caution! I've read several times in this thread that request_order should be set to something that also contains C. This is DANGEROUS. request_order was specifically introduced to determine the order of variable merging that leads to $_REQUEST, while variables_order defines the variables that are assigned *at all* (and without register_globals and with request_order, the _order is actually misleading). So: request_order should *ONLY* be set to "GP" in order NOT to have cookies popping up in $_REQUEST - else everybody who uses $_REQUEST is vulnerable to CSRF. Also, a recommendation for request_order only makes sense as "GP" (on both production *and* developement machine) and setting variables order to "GPCS". Furthermore, the comment in the ini file that request_order is in there for performance reasons is just PLAIN WRONG and gives the impression that setting it to "GPCS" or empty will just cost a little performance - where it clearly allows for CSRF if people use $_REQUEST. Regards, Christian