php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-29 03:03:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix the bullshit register_globals emulation

Browse Source 
1) S is not _SESSION but _SERVER
2) EXTR_OVERWRITE is evil
This commit is contained in:
Stefan Esser
2006-03-22 08:21:01 +00:00
parent bd3f581fe9
commit 45f6a3d87d
1 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.UPDATING_TO_PHP6
+8 -9
View File
@@ -34,30 +34,29 @@ an insecure app.
Here is an example to emulate the session related functions and
a snippet to register variables:
$_register_globals_order = ini_get("variables_order");
$_register_globals_order = strrev(ini_get("variables_order"));
$_register_globals_order_len = strlen($_register_globals_order);
for($_register_globals_i=0;$_register_globals_i<$_register_globals_order_len;$_register_globals_i++) {
switch($_register_globals_order{$_register_globals_i}) {
case "E":
extract($_ENV, EXTR_REFS|EXTR_OVERWRITE);
extract($_ENV, EXTR_REFS|EXTR_SKIP);
break;
case "G":
continue;
extract($_GET, EXTR_REFS|EXTR_SKIP);
break;
case "P":
extract($_POST, EXTR_REFS|EXTR_OVERWRITE);
extract($_POST, EXTR_REFS|EXTR_SKIP);
break;
case "C":
extract($_COOKIE, EXTR_REFS|EXTR_OVERWRITE);
extract($_COOKIE, EXTR_REFS|EXTR_SKIP);
break;
case "S":
if(!isset($_SESSION)) {
continue;
}
extract($_SESSION, EXTR_REFS|EXTR_OVERWRITE);
extract($_SERVER, EXTR_REFS|EXTR_SKIP);
break;
}
}