Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not

phpgroupware-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not

From:	Izzy Blacklock
Subject:	Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted)
Date:	Sun, 30 Mar 2003 21:30:51 -0700
User-agent:	KMail/1.4.3

On Sunday 30 Mar 2003 6:44 pm, Dave Hall wrote:
> Izzy Blacklock <address@hidden> wrote:

> > Thanks Lars,  That was it.  Quite a long road I traveled to come
> > back to this!
> >
> > :(  I'll add it to my LDAP support howto.  I'll also submit a bug
> >
> > report.
>
> A few points on this:
>
> 1 Register Globals is a well documented issue - see these google results:
> 161 -
> http://www.google.com/search?q=register_globals+phpgroupware+site%3Amail.gn
>u.org&btnG=Google+Search&hl=en&lr=&ie=UTF-8&oe=UTF-8 88 -
> http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=register+globals+php
>groupware+site%3Amail.gnu.org&btnG=Google+Search
>
> 2 The change to register globals was made in php 4.2.0 (released
> 22-Apr-2002 - see http://www.php.net/ChangeLog-4.php), while phpGW
> 0.9.14 branch was created 15-Jan-2003 (see
> http://savannah.gnu.org/forum/forum.php?forum_id=365&group_id=509 )

This may be true, but if you don't know what to look for, you can't find the 
answers.  Solutions to know issues need to be documented based on the 
symptoms of the problem or people not in the know wont be able to find them.  
I for one plan to do my part to make this happen.  

>
> 3 We can not add major new functions/code changes after a feature freeze
> or in a buf fix release.
>
> 4 Yes, register_globals = on is a security issue - which we are addressing

No need to get defensive.  I don't think anyone is expecting this to be fixed 
right away.  It will happen eventually.  I've posted the bug report to alert 
developers to the fact that this file is affected and will eventually need 
fixing.  I'm happy with the work around for now.

Perhaps it would be worth documenting which files are effected and how people 
could minimize the impact of the potential security issues it may cause.  In 
this case, simply turning register_globals back off after your finished 
modifying user accounts would close the door again.  As long as there isn't 
anything critical elseware that needs it.  If people want to submit details 
to me, I'd be happy to start such a document.

> 5 The 0.9.16 API supports our GPC variable sanitizer function "get_var"
> - now it is upto devs to implement it in their apps.
>
> 6 phpGW does not run with safe_mode = on which many hosts now use as the
> default config.  This is something else that will need to be addressed -
> but unlikely in 0.9.16

I don't know what either of these are, but I'm sure I'll eventually learn.  

...Izzy

[Prev in Thread]

Current Thread

[Next in Thread]

[Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted), Dave Hall, 2003/03/30
- Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted), Izzy Blacklock <=

Prev by Date: [Phpgroupware-users] file manager, users cant share files?
Next by Date: Re: [Phpgroupware-users] Troubleshooting tips???
Previous by thread: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted)
Next by thread: [Phpgroupware-users] file manager, users cant share files?
Index(es):
- Date
- Thread