Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:43977
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.220.220 cause and error)
Message-ID: <4A0D29D5.2040004@lerdorf.com>
Date: Fri, 15 May 2009 10:37:41 +0200
User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105)
MIME-Version: 1.0
To: Lukas Kahwe Smith <mls@pooteeweet.org>
CC: Michael Shadle <mike503@gmail.com>, Nathan Rixham <nrixham@gmail.com>, 
 PHP Development <internals@lists.php.net>
References: <bd9320b30905141018q1ebeb994t9676d4d5085a0d6b@mail.gmail.com>	 <4A0C9516.8060808@gmail.com> <bd9320b30905141733l424179eak67bd287fc134a74d@mail.gmail.com> <4A0D2648.3050802@lerdorf.com> <C74C4F67-7603-4A6F-82D0-AF3D10665AD1@pooteeweet.org>
In-Reply-To: <C74C4F67-7603-4A6F-82D0-AF3D10665AD1@pooteeweet.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: Why does $_REQUEST exist?
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Lukas Kahwe Smith wrote:
> 
> On 15.05.2009, at 10:22, Rasmus Lerdorf wrote:
> 
>> Michael Shadle wrote:
>>> On Thu, May 14, 2009 at 3:03 PM, Nathan Rixham <nrixham@gmail.com>
>>> wrote:
>>>
>>>> bc? all the reasoning in the world won't justify it to 1 million
>>>> businesses
>>>> running php 4 code which is reliant on $_REQUEST behind the scenes.
>>>>
>>>> although it would generate a tonne of freelance work :p
>>>
>>> that code has to change for 5.3 or 6.0 anyway.
>>>
>>> now is the time to yank out some of the legacy crap. we don't want PHP
>>> to be like windows, do we?
>>
>> The more stuff like this we remove, the harder it becomes for people to
>> quickly move to newer, faster and more secure versions of PHP.  That
>> causes way more frustration for everyone than a few "ugly" legacy
>> features.  If there is a decent technical reason, performance or
>> security, then we need to take a hard look at it.  In this case, the
>> thing we should be looking at isn't whether we should remove $_REQUEST
>> but whether we should remove cookie data from it.  Many configurations
>> already do that, including all of my own, and there is a strong valid
>> security reason for not including cookies in $_REQUEST.  Most people use
>> $_REQUEST to mean GET or POST, not realizing that it could also contain
>> cookies and as such bad guys could potentially do some cookie injection
>> tricks and break naive applications.
> 
> 
> Its already fixed in 5.3. There is a new ini option that defines what
> should go into $_REQUEST. See the following blog post for details:
> http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-request-forgerieshijacking/
> 
> 
> Also a lot of work was put into restructuring the php.ini files we ship
> with PHP.

Right, I obviously know that, I should have explained better.  What I
meant by removing cookie data from $_REQUEST was to never allow it at
all.  Right now you have to set request_order to "GP" in order to not
get it.  If, like most people, you upgrade and use the same php.ini file
as before, then we default back to variables_order which has always
included cookie data by default.  So, as much as I appreciate the work
that has gone into the new recommended php.ini settings, we all know
that most people completely ignore our .ini suggestions and go with
whatever their distro chooses or whatever they have had in there since
their PHP4 days.  My prediction is that the bulk of people after
upgrading to 5.3 will still have cookies in their $_REQUEST.

-Rasmus