Lukas Kahwe Smith wrote: > > On 15.05.2009, at 10:22, Rasmus Lerdorf wrote: > >> Michael Shadle wrote: >>> On Thu, May 14, 2009 at 3:03 PM, Nathan Rixham <nrix...@gmail.com> >>> wrote: >>> >>>> bc? all the reasoning in the world won't justify it to 1 million >>>> businesses >>>> running php 4 code which is reliant on $_REQUEST behind the scenes. >>>> >>>> although it would generate a tonne of freelance work :p >>> >>> that code has to change for 5.3 or 6.0 anyway. >>> >>> now is the time to yank out some of the legacy crap. we don't want PHP >>> to be like windows, do we? >> >> The more stuff like this we remove, the harder it becomes for people to >> quickly move to newer, faster and more secure versions of PHP. That >> causes way more frustration for everyone than a few "ugly" legacy >> features. If there is a decent technical reason, performance or >> security, then we need to take a hard look at it. In this case, the >> thing we should be looking at isn't whether we should remove $_REQUEST >> but whether we should remove cookie data from it. Many configurations >> already do that, including all of my own, and there is a strong valid >> security reason for not including cookies in $_REQUEST. Most people use >> $_REQUEST to mean GET or POST, not realizing that it could also contain >> cookies and as such bad guys could potentially do some cookie injection >> tricks and break naive applications. > > > Its already fixed in 5.3. There is a new ini option that defines what > should go into $_REQUEST. See the following blog post for details: > http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-request-forgerieshijacking/ > > > Also a lot of work was put into restructuring the php.ini files we ship > with PHP.
Right, I obviously know that, I should have explained better. What I meant by removing cookie data from $_REQUEST was to never allow it at all. Right now you have to set request_order to "GP" in order to not get it. If, like most people, you upgrade and use the same php.ini file as before, then we default back to variables_order which has always included cookie data by default. So, as much as I appreciate the work that has gone into the new recommended php.ini settings, we all know that most people completely ignore our .ini suggestions and go with whatever their distro chooses or whatever they have had in there since their PHP4 days. My prediction is that the bulk of people after upgrading to 5.3 will still have cookies in their $_REQUEST. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
