Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:43997
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 88.198.8.16 cause and error)
Cc: Rasmus Lerdorf <rasmus@lerdorf.com>,
 PHP Development <internals@lists.php.net>
Message-ID: <C5184690-0CCF-4C4F-9666-70086999FB97@pooteeweet.org>
To: Michael Shadle <mike503@gmail.com>
In-Reply-To: <bd9320b30905151014j27b76067of8507c81e125abac@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Fri, 15 May 2009 22:25:53 +0200
References: <bd9320b30905141018q1ebeb994t9676d4d5085a0d6b@mail.gmail.com> <4A0C9516.8060808@gmail.com> <bd9320b30905141733l424179eak67bd287fc134a74d@mail.gmail.com> <4A0D2648.3050802@lerdorf.com> <C74C4F67-7603-4A6F-82D0-AF3D10665AD1@pooteeweet.org> <bd9320b30905151014j27b76067of8507c81e125abac@mail.gmail.com>
Subject: Re: [PHP-DEV] Re: Why does $_REQUEST exist?
From: mls@pooteeweet.org (Lukas Kahwe Smith)


On 15.05.2009, at 19:14, Michael Shadle wrote:

> On Fri, May 15, 2009 at 1:32 AM, Lukas Kahwe Smith  
> <mls@pooteeweet.org> wrote:
>
>>> The more stuff like this we remove, the harder it becomes for  
>>> people to
>>> quickly move to newer, faster and more secure versions of PHP.  That
>>> causes way more frustration for everyone than a few "ugly" legacy
>>> features.  If there is a decent technical reason, performance or
>>> security, then we need to take a hard look at it.  In this case, the
>>> thing we should be looking at isn't whether we should remove  
>>> $_REQUEST
>>> but whether we should remove cookie data from it.  Many  
>>> configurations
>>> already do that, including all of my own, and there is a strong  
>>> valid
>>> security reason for not including cookies in $_REQUEST.  Most  
>>> people use
>>> $_REQUEST to mean GET or POST, not realizing that it could also  
>>> contain
>>> cookies and as such bad guys could potentially do some cookie  
>>> injection
>>> tricks and break naive applications.
>
> But since there is going to be a dramatic change here anyway, this is
> the perfect time to do it. To me adding namespaces is a lot more scary
> and will lead to a lot of confusing code...

Confusing new code is totally different from breaking existing code.

>> Its already fixed in 5.3. There is a new ini option that defines  
>> what should
>> go into $_REQUEST. See the following blog post for details:
>> http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-request-forgerieshijacking/
>>
>> Also a lot of work was put into restructuring the php.ini files we  
>> ship with
>> PHP.
>
> This is a good step I think; will it be possible to allow it to be
> empty and have $_REQUEST not exist or even be initialized?
>
> Also, you said it yourself in your blog - not caring what is done via
> GET and POST is bad practice. Why not enforce this in the engine?

Just FYI: Not sure which blog you are talking about, but that is  
Stefan Esser's blog that is linked above.

> Also, I had thought $_REQUEST had included session data too. At least
> that is not there. Talk about easy exploitation options then! :)


Indeed, that would have been insane.

regards,
Lukas Kahwe Smith
mls@pooteeweet.org