Peter Brodersen wrote:
On Mon, 23 Oct 2006 10:38:31 -0700, in php.internals
[EMAIL PROTECTED] (Rasmus Lerdorf) wrote:
I had left out SERVER filtering in the initial version for much the same
reasoning, but it turns out that a good chunk of holes were due to the
fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying to
teach people which SERVER vars are safe and which aren't isn't a fun
task and the whole point of the filter extension is to take away the
guessing game.
More well-known, the same goes for the HTTP headers populated in
_SERVER as well, even though some might be less obvious than other.
HTTP_HOST could be tainted as well in some cases where a DNS entry and
ServerAlias of *.example.com exists.
Actually, by using the Flash hack, you don't need wildcard DNS to
exploit that one. As anybody who has seen my ranting lately can attest
to, name-based virtual hosting is completely broken until we get
everyone onto Flash9.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
