On Sat, Nov 22, 2003 at 07:03:20AM +0100, Nikola Smolenski wrote:
On Friday 21 November 2003 12:52, Brion Vibber wrote:
If you want an ugly but simple and important
job... we'd like to remove
our dependency on register_globals (the option, formerly on by default,
in which GET/POST parameters and cookies are dumped into the global
variable namespace). Since PHP 4.2 this option is off by default, as it
can lead to security problems when there's sloppy coding and you use a
variable that turns out to be uninitialized -- until someone slips it
into a URL or cookie.
Moving from the globals to the $_GET and $_POST arrays would let us
remove that configuration dependency and potentially clean up some
security trouble if there are any more surprises. (Also related to bug
#842921)
Perhaps there is something I don't see, but wouldn't it be the easiest to just
insert before line 21 (global $action, $title...) in wiki.phtml:
$action=$_GET['action']; $title=$_GET['title'];
$search=$_GET['search'],
$go=$_GET['go']; $target=$_GET['target'];
$printable=$_GET['printable'];
$returnto=$_GET['returnto']; $diff=$_GET['diff'];
$oldid=$_GET['oldid'];
Then, without any further changes to the source, register_globals could be
turned off, there would be no configuration dependency, and no security risk
(no new variables would be accepted). The same should be done for $_POST, of
course.
I tried that yesterday (using $_REQUEST, so I don't have to worry about
GET/POST) and it's not that easy. There are many additional parameters
passed from various dialogs. E.g. the code above is missing wpTextbox1,
the big textbox you edit the wiki articles in.
I've already got 80% of code working, I think.
Regards,
JeLuF