|
|
Posted by petersprc on 11/24/06 04:05
Description of PHP_SELF:
http://blog.phpdoc.info/archives/13-XSS-Woes.html
petersprc wrote:
> You are right that PHP_SELF doesn't include any of the query part. But
> still, outputting an unsanitized PHP_SELF would be a problem and could
> lead to an XSS vulnerability, because the client can usually include
> arbitrary text in the PATH_INFO part. If you use htmlentities, it
> should pretty much address that potential problem.
>
> Jim Carlock wrote:
> > Jim Carlock wrote...
> > : After messing with a few things I noticed 'PHP_SELF'
> > : returns the page name without the $_GET query strings...
> > :
> > : http://blog.phpdoc.info/archives/13-XSS-Woes.html
> >
> > "petersprc" stated...
> > : When using PHP_SELF, I would suggest encoding it appropriately.
> > : For instance:
> > :
> > : <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
> > :
> > : In a request to /home.php/a/b/c/d?p=q, your variables would usually
> > : be:
> > :
> > : REQUEST_URI: /home.php/a/b/c/d?p=q
> > : SCRIPT_NAME: /home.php
> > : PATH_INFO: /a/b/c/d
> > : QUERY_STRING: p=q
> > : PHP_SELF: /home.php/a/b/c/d
> > :
> > : An inbound link could put some unsafe code in the PATH_INFO
> > : part, so it's good to encode it when outputting it as HTML.
> >
> > Good information. Thanks Peter. Maybe it was an Apache bug fixed
> > by Apache 1.3.37?
> >
> > Another thing that occurs, PHP_ERR.LOG files show up when
> > the temporary directory gets deleted, in other words when the
> > temporary folder goes bye bye, "php_err.log" files start appearing
> > in the folders of the website which uses $_SESSION variables.
> > I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).
> >
> > Comments are appreciated.
> >
> > Thanks.
> >
> > --
> > Jim Carlock
[Back to original message]
|