Hello,
I think the second argument of parse_str/mb_parse_str
should be changed from optional to mandatory.
parse_str(string encoded_string [, array result])
-> parse_str(string encoded_string , array result)
It is to reduce the risk of vulnerability, and it has neary same risk
as register_globals which is removed from PHP 5.4.
The vulnerability against code injection attack found in a recent
version of
phpMyAdmin is just a example.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2505
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2506
The current implementation of parse_str changes
the active symbol table in the function.
I think that it has the possible security risk like,
http://www.php-security.org/MOPB/MOPB-26-2007.html
The side effect is that thhe old code like parse_str($query_string) should
be changed, but, I think it is good direction to improve the security.
Rui
--
Rui Hirokawa <hirok...@php.net>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
