|
Posted by Chris Shiflett on 08/28/05 16:50
Edward Vermillion wrote:
> I was under the the impression that the non-'HTTP_*' keys in the
> $_SERVER array came from the server itself.
All of that data comes from the server, but it's difficult to determine
which data can be influenced by information within the HTTP request. In
other words, you get it from Apache, but it doesn't always originate there.
I blogged about this a while ago:
http://shiflett.org/archive/98
Read the quiz at the very end, then read Geoff Young's comments.
> I'm curoius how 'SERVER_NAME' could be manipulated by the client.
Zeev blogged about this:
http://ibm.com/developerworks/blogs/dw_blog_comments.jspa?blog=481&entry=75480
Another one that surprises a lot of people is $_SERVER['PHP_SELF']:
http://blog.phpdoc.info/archives/13-XSS-Woes.html
> Is there anything in the $_SERVER array that *can* be considered safe?
Yes, but I've just adopted the habit of considering $_SERVER entirely
tainted. It's too hard to safely distinguish between what's tainted and
what's not, so I think it's best to play it safe and trust nothing.
If you read the above blog at IBM, you'll see that Rasmus disputes
Zeev's claim, and Zeev has to explain further. Regardless of who is
right (Zeev is, in this particular case), if one of the top PHP core
developers gets it wrong, then what hope is there for me? If I consider
all of $_SERVER to be tainted, I don't have to worry about making such a
mistake.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
[Back to original message]
|