[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Getting the value of environment variables
- From: Jonathan Castello <twisolar@...>
- Date: Sat, 29 May 2010 12:03:32 -0700
On Sat, May 29, 2010 at 11:55 AM, Luiz Henrique de Figueiredo
<lhf@tecgraf.puc-rio.br> wrote:
>> ...Which is a terrible idea, basically emulating PHP's
>> REGISTER_GLOBALS that has lead to so many security issues over the years.
>
> Really? I don't see how *reading* an environment variable can be a security
> problem given that you can read it with os.getenv. But of course I don't
> know the first thing about PHP.
>
In PHP, you have $_GET and $_POST hashes that contain the data sent
with the client's request. The register_globals option [1] takes those
arrays and dumps them into the global space, so instead of
$_GET["foo"] you have $foo. The issue is that the client can pollute
your globals this way, such as passing "authenticated=1". If you use
$authenticated somewhere in your code without first initializing it,
that's a bad hole.
In this case, you're not using client data, you're using environment
data, so it's -arguably- less bad. But it can still lead to weird
problems if you happen to use a variable name that's shared by an
environment variable without knowing it, and it can still compromise
the integrity of your script.
~Jonathan
[1] http://php.net/manual/en/security.globals.php
