Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58048 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76273 invoked from network); 24 Feb 2012 23:10:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Feb 2012 23:10:55 -0000 Authentication-Results: pb1.pair.com header.from=larry@garfieldtech.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=larry@garfieldtech.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain garfieldtech.com from 66.111.4.29 cause and error) X-PHP-List-Original-Sender: larry@garfieldtech.com X-Host-Fingerprint: 66.111.4.29 out5-smtp.messagingengine.com Received: from [66.111.4.29] ([66.111.4.29:46916] helo=out5-smtp.messagingengine.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3A/F2-17132-EF8184F4 for ; Fri, 24 Feb 2012 18:10:55 -0500 Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id C669720E52 for ; Fri, 24 Feb 2012 18:10:52 -0500 (EST) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute3.internal (MEProxy); Fri, 24 Feb 2012 18:10:52 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=eEiw+ByCpGYSfdjjhpnPNP XKTPs=; b=EQR6iCI3/zpyeu5BWzH2F42kPbvD8ILI2oiGcadhckF9X95Pn7fob0 FI4iM6uAFOmgeI6rqOAoWLwjTzcjgjYTBq3tmntE7qqJuIm2iUAJb3104TIK1ByE D7b918Pv4/L6PhWAim6NpcgFqvXT0nqmr1utGxFjo2GAfU6SGJEww= X-Sasl-enc: 8IHuBKny4YCpX6wATheNx1tdBc53k811suIJgCUtUAXh 1330125052 Received: from garfield.ad.palantir.net (unknown [209.41.114.202]) by mail.messagingengine.com (Postfix) with ESMTPSA id 8C8328E009B for ; Fri, 24 Feb 2012 18:10:52 -0500 (EST) Message-ID: <4F4818FC.9020104@garfieldtech.com> Date: Fri, 24 Feb 2012 17:10:52 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: internals@lists.php.net References: <8D8E9A0839FE464FBBDF2B499DAFA596@gmail.com> <88ad33db205558862288b3114ef4c391.squirrel@www.l-i-e.com> <4F480C5B.30606@garfieldtech.com> <96462fbc4e243e75b11b455624ac4140.squirrel@www.l-i-e.com> <4F4811E6.4050201@garfieldtech.com> <4F48153C.7040406@garfieldtech.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] $_PARAMETERS Super Global Object From: larry@garfieldtech.com (Larry Garfield) On 2/24/12 5:04 PM, Ronald Chmara wrote: > On Fri, Feb 24, 2012 at 2:54 PM, Larry Garfield wrote: >> On 2/24/12 4:48 PM, Ronald Chmara wrote: >>> >>> On Fri, Feb 24, 2012 at 2:40 PM, Larry Garfield >>>> Except that per HTTP, GET and POST are completely different operations. >>>> One >>>> is idempotent and cacheable, the other is not idempotent and not >>>> cacheable. >>>> I very much care which someone is using. >>> People exploiting security would *never* think of >>> caching/replaying/modifying a POST request, that's just totally >>> unimaginable! It would take, like HUGE computational effort to like, >>> cURL it or just type it out! >>> er, no. >> Please point out where I said that POST not a security risk. I am quite >> sure I typed no such thing, so how you read such a thing I do not know. I >> am genuinely curious to see how you managed to interpret anything I said as >> "POST is secure because it won't be cached". > > Well, I didn't actually say that you said any such thing. I picked up on: > "the other is not idempotent and not cacheable" > ...which is obviously false, and I highlighted, in a security context, > how POSTs are cached, and should be treated with equal distrust as > GET, because both are suspect, user submitted, forms of data, subject > to exploiting. > > -Ronabop When systems are behaving properly, POST is not cached. I was referring to the RFC: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5 "Responses to this method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields. However, the 303 (See Other) response can be used to direct the user agent to retrieve a cacheable resource." So strictly speaking its the response to a POST that is not (by default) cached. From a security perspective, yes, all incoming data should be viewed as a threat until proven otherwise, regardless of what part of the HTTP request it comes from or what superglobal PHP marshals it into by default. --Larry Garfield