[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Getting the value of environment variables
- From: Peter Cawley <lua@...>
- Date: Sat, 29 May 2010 20:01:45 +0100
On Sat, May 29, 2010 at 7:55 PM, Luiz Henrique de Figueiredo
<lhf@tecgraf.puc-rio.br> wrote:
>> ...Which is a terrible idea, basically emulating PHP's
>> REGISTER_GLOBALS that has lead to so many security issues over the years.
>
> Really? I don't see how *reading* an environment variable can be a security
> problem given that you can read it with os.getenv. But of course I don't
> know the first thing about PHP.
The reading isn't a security issue, but have extra globals hanging
around is. For example, suppose someone implemented an authentication
system by checking some credentials, then setting some global variable
called AUTHED to true if the credentials are good. Then later in the
code they have things like "if AUTHED then ... end" to control access
to sensitive things. If _G's __index grabs things from the
environment, the user can bypass the authentication system by setting
an environment variable called AUTHED. PHP's REGISTER_GLOBALS was
similar - it grabbed HTTP POST / GET fields from the user, and stuffed
them into the global environment, hence giving the end-user control
over the initial state of global variables.