[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not
|
From: |
Dave Hall |
|
Subject: |
Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted) |
|
Date: |
Mon, 31 Mar 2003 15:50:00 +1000 |
Izzy Blacklock <address@hidden> wrote:
> On Sunday 30 Mar 2003 6:44 pm, Dave Hall wrote:
> > Izzy Blacklock <address@hidden> wrote:
>
> > > Thanks Lars, That was it. Quite a long road I traveled to come
> > > back to this!
> > >
> > > :( I'll add it to my LDAP support howto. I'll also submit a bug
> > >
> > > report.
> >
> > A few points on this:
> >
> > 1 Register Globals is a well documented issue - see these google
> results:> 161 -
> >
>
http://www.google.com/search?q=register_globals+phpgroupware+site%3Amail.gn>u.org&btnG=Google+Search&hl=en&lr=&ie=UTF-8&oe=UTF-8
88 -
> > http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-
> 8&q=register+globals+php>groupware+site%3Amail.gnu.org&btnG=Google+Search
> >
> > 2 The change to register globals was made in php 4.2.0 (released
> > 22-Apr-2002 - see http://www.php.net/ChangeLog-4.php), while phpGW
> > 0.9.14 branch was created 15-Jan-2003 (see
> >
> http://savannah.gnu.org/forum/forum.php?forum_id=365&group_id=509 )
>
> This may be true, but if you don't know what to look for, you
> can't find the
> answers. Solutions to know issues need to be documented based on
> the
> symptoms of the problem or people not in the know wont be able to
> find them.
> I for one plan to do my part to make this happen.
Oh I forgot to mention - it is in
phpgroupware/phpgwapi/doc/php-configuration.txt
>
> >
> > 3 We can not add major new functions/code changes after a
> feature freeze
> > or in a buf fix release.
> >
> > 4 Yes, register_globals = on is a security issue - which we are
> addressing
> No need to get defensive. I don't think anyone is expecting this
> to be fixed
> right away. It will happen eventually. I've posted the bug
> report to alert
> developers to the fact that this file is affected and will
> eventually need
> fixing. I'm happy with the work around for now.
>
> Perhaps it would be worth documenting which files are effected and
> how people
> could minimize the impact of the potential security issues it may
> cause. In
> this case, simply turning register_globals back off after your
> finished
> modifying user accounts would close the door again. As long as
> there isn't
> anything critical elseware that needs it. If people want to
> submit details
> to me, I'd be happy to start such a document.
>
> > 5 The 0.9.16 API supports our GPC variable sanitizer function
> "get_var"> - now it is upto devs to implement it in their apps.
> >
> > 6 phpGW does not run with safe_mode = on which many hosts now
> use as the
> > default config. This is something else that will need to be
> addressed -
> > but unlikely in 0.9.16
>
> I don't know what either of these are, but I'm sure I'll
> eventually learn.
>
> ...Izzy
>
>
>
> _______________________________________________
> Phpgroupware-users mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/phpgroupware-users
>
dave.hall.vcf
Description: Card for <dave.hall@mbox.com.au>
- Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted),
Dave Hall <=