|
Posted by Richard Lynch on 04/06/05 08:21
On Wed, March 30, 2005 6:48 am, Jochem Maas said:
>>> I don't really think that's relevant, however, as PHP is storing $name
>>> back *IN* to my $_SESSION data, just because I did:
>>> $name = $_SESSION['name'];
>>> $name = "Fooey";
>>>
>>> $name is a STRING.
>>>
>>> It's not an object.
>>>
>>> It should *NOT* be a Reference!
>>>
>>> But it is a Reference, so changing $name alters $_SESSION['name']
Perhaps I'm being overly paranoid...
Consider the following, however.
Fact: One should not trust $_GET data, and should scrub it.
Fact: I'm on a shared server.
Fact: By definition, if *my* PHP script can read my session data, so can
*another* user's script on that server.
Thus, I had intended to 'scrub' session data with things like:
<?php
session_start();
$name = $_SESSION['name'];
$name = preg_replace('/[^A-Za-z \',\\.-]/', $name);
if ($name != $_SESSION['name']){
// assume they are Bad People.
}
?>
Needless to say, this isn't gonna do crap with this bug in PHP 5.0.3
making strings into references.
For the short term, I'm trusting session data (but not GET/POST, duh).
I suspect I could do:
$name = '' . $_SESSION['name'];
or somesuch to force the string to not be a reference.
But PHP doesn't *HAVE* strings as references.
I filed a bug report, but sniper's response was pretty much the same
auto-response "register_globals"
OTOH, he said it was fixed in CVS, so I guess it was only in 5.0.3???
Am I over-reacting?
I don't think so.
It's a nasty little bug that will completely bypass security measures to
scrub SESSION data, as described above.
I haven't really probed into this, to see how far / long the "reference"
nature of the string extends.
Perhaps the preg_replace would create a copy of the string... Or not. Or
maybe it would depend on if anything got replaced or not. Or...
Sorry to reply so late, but I've been a tad busy lately, and just caught
up on PHP-General tonight. [looks at watch] Errr, make that this
morning, I guess. :-v
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|