Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:43993 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60809 invoked from network); 15 May 2009 17:14:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 May 2009 17:14:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=mike503@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=mike503@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.222.185 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: mike503@gmail.com X-Host-Fingerprint: 209.85.222.185 mail-pz0-f185.google.com Received: from [209.85.222.185] ([209.85.222.185:63298] helo=mail-pz0-f185.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 65/EB-27038-003AD0A4 for ; Fri, 15 May 2009 13:14:40 -0400 Received: by pzk15 with SMTP id 15so1118364pzk.29 for ; Fri, 15 May 2009 10:14:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=aE04xnb0DioL3HHUC7KkeRjS/aahinFIMaPa32WWHdU=; b=bRWQngljukmZZnEX5aH2vXa9VaQYTbUDq9uC13Xv0oC7YeMTQQZKChgnmp1jCV8kk9 gEBqkdpbWW7gwsTMkoRRqg+Go3D9zq2L5YGPhg2m4TcTPlDTFkYRGfY1W6V9PYkCn43L CXErdz2yGUftREca1+1NgvKJg7MqY3COsoEkM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=V7idCvuqN9/XEImQs8pTVXWJupbvh7rxEcnWa8A5e0Xj4n3MQU0NqU/d9TfEbOjU0c WjIm6DBC8SLLTogwUIwNRLCkoM/nsStnnC4CRZCKesavESl08Y5cs4ycUJtT6CvLRQHA KJYo/y7rMawnSmxhwKbq4gCGJ0iC0Fni+XE4s= MIME-Version: 1.0 Received: by 10.114.180.1 with SMTP id c1mr5052057waf.206.1242407678066; Fri, 15 May 2009 10:14:38 -0700 (PDT) In-Reply-To: References: <4A0C9516.8060808@gmail.com> <4A0D2648.3050802@lerdorf.com> Date: Fri, 15 May 2009 10:14:38 -0700 Message-ID: To: Rasmus Lerdorf , Lukas Kahwe Smith Cc: PHP Development Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Re: Why does $_REQUEST exist? From: mike503@gmail.com (Michael Shadle) On Fri, May 15, 2009 at 1:32 AM, Lukas Kahwe Smith wro= te: >> The more stuff like this we remove, the harder it becomes for people to >> quickly move to newer, faster and more secure versions of PHP. =C2=A0Tha= t >> causes way more frustration for everyone than a few "ugly" legacy >> features. =C2=A0If there is a decent technical reason, performance or >> security, then we need to take a hard look at it. =C2=A0In this case, th= e >> thing we should be looking at isn't whether we should remove $_REQUEST >> but whether we should remove cookie data from it. =C2=A0Many configurati= ons >> already do that, including all of my own, and there is a strong valid >> security reason for not including cookies in $_REQUEST. =C2=A0Most peopl= e use >> $_REQUEST to mean GET or POST, not realizing that it could also contain >> cookies and as such bad guys could potentially do some cookie injection >> tricks and break naive applications. But since there is going to be a dramatic change here anyway, this is the perfect time to do it. To me adding namespaces is a lot more scary and will lead to a lot of confusing code... P.S. It looks like you'll be speaking at OSBridge in Portland in a month or so. If I attend I look forward to meeting you and thanking you for PHP :) > Its already fixed in 5.3. There is a new ini option that defines what sho= uld > go into $_REQUEST. See the following blog post for details: > http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-request-f= orgerieshijacking/ > > Also a lot of work was put into restructuring the php.ini files we ship w= ith > PHP. This is a good step I think; will it be possible to allow it to be empty and have $_REQUEST not exist or even be initialized? Also, you said it yourself in your blog - not caring what is done via GET and POST is bad practice. Why not enforce this in the engine? It makes PHP look insecure when apps have security issues because of poor coding. It's not because PHP itself had a flaw, but to a lot of people, they see "PHPNuke" or know that postnuke runs under PHP, or phpbb, etc - the language -can- enforce better techniques, especially since 5.3 and 6.0 will require some changes in code anyway; this one is a pretty simple change too - Someone could make a function like import_request_variables() but allow it to re-create $_REQUEST and tell people to put it at the top of their scripts or a central include file if they're too lazy to fix their code to be more secure. I for one would love to see this be enforced at the engine level, so that packages I wind up having to use like Wordpress/etc. have been forced to change their logic (hopefully) to go back to $_GET, $_POST etc. Also, I had thought $_REQUEST had included session data too. At least that is not there. Talk about easy exploitation options then! :)