Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:55357 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71041 invoked from network); 11 Sep 2011 04:31:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Sep 2011 04:31:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=rui_hirokawa@yahoo.co.jp; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rui_hirokawa@yahoo.co.jp; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain yahoo.co.jp designates 114.111.99.167 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: rui_hirokawa@yahoo.co.jp X-Host-Fingerprint: 114.111.99.167 smtp506.mail.kks.yahoo.co.jp Received: from [114.111.99.167] ([114.111.99.167:42799] helo=smtp506.mail.kks.yahoo.co.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 06/72-45650-2B93C6E4 for ; Sun, 11 Sep 2011 00:31:49 -0400 Received: (qmail 30533 invoked by alias); 11 Sep 2011 04:31:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.jp; s=yj20050223; t=1315715501; bh=N3zZlc8CO7uu+LTgWj1P/YExL65iTv1IEjW3MM42dDk=; h=Received:X-Apparently-From:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding; b=i8GxSwnCxH+BAshGulSdTCVkeXf1zPzFyVB/slV3el6AORR4ocZnORH3E5LKPkcz1hHMhNksCGPMuc0EaKb9+lW28HNKokSYneU7x9jXNq0KCe7mTcRhFnFtZKvm7Uri DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=yj20050223; d=yahoo.co.jp; h=Received:X-Apparently-From:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding; b=Wt1UJrcZDWErbhBq7pbZVWbr8vu6a6rcRGguswgT3G60NHWgoMJrLRp/NIxBdoLC0WJTPNAHVmFJXlRcm+h87U9w/iDDQNkrqitPTHurHT8iGrcsKyVRHY5tDkDXwldA ; Received: from unknown (HELO flight.example.com) (220.144.117.47 with plain) by smtp506.mail.kks.yahoo.co.jp with SMTP; 11 Sep 2011 04:31:41 -0000 X-Apparently-From: Message-ID: <4E6C39AC.3000607@yahoo.co.jp> Date: Sun, 11 Sep 2011 13:31:40 +0900 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13 MIME-Version: 1.0 To: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: proposal for change the argument of parse_str/mb_parse_str From: rui_hirokawa@yahoo.co.jp (Rui Hirokawa) Hello, I think the second argument of parse_str/mb_parse_str should be changed from optional to mandatory. parse_str(string encoded_string [, array result]) -> parse_str(string encoded_string , array result) It is to reduce the risk of vulnerability, and it has neary same risk as register_globals which is removed from PHP 5.4. The vulnerability against code injection attack found in a recent version of phpMyAdmin is just a example. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2505 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2506 The current implementation of parse_str changes the active symbol table in the function. I think that it has the possible security risk like, http://www.php-security.org/MOPB/MOPB-26-2007.html The side effect is that thhe old code like parse_str($query_string) should be changed, but, I think it is good direction to improve the security. Rui -- Rui Hirokawa