[nycphp-talk] $_SERVER['PHP_SELF'} not working?
Hans Zaunere
lists at zaunere.com
Thu Jul 21 10:26:13 EDT 2005
> > > > > > More importantly, PHP_SELF can be tainted by users. Don't
> > > > > > assume it's safe.
> > > > > >
> > > > > >
> > > > >
> > > > > Hmm. How does $_SERVER['PHP_SELF'] get tainted by users?
> > > > >
> > > >
> > > > By appending parameters to the uri you're requesting, i.e.
> > > > requesting
> > > >
> > > > http://example.com/?$BAD_STUFF_HERE
> > > >
> > >
> > >
> > > Not in PHP 5.0.4 -- PHP_SELF is only the relative filename of the
> > > script called by the webserver, no query information is attached.
>
> My example was flawed, but the same case still works. Apache allows
> the use of '/' as an IFS, so you can do
>
> http://www.example.com/index.php/$BAD_STUFF_HERE and it will appear
> in full form in PHP_SELF.
And PHP_SELF depends on the configuration of Apache, too, as it will change depending on certain directives. I'm a fan of SCRIPT_NAME...
---
Hans Zaunere
President, Founder
New York PHP
http://www.nyphp.org
AMP Technology
Supporting Apache, MySQL and PHP
More information about the talk
mailing list