Re: PHP 5 Strings are References?!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, March 30, 2005 6:48 am, Jochem Maas said:
>>> I don't really think that's relevant, however, as PHP is storing $name
>>> back *IN* to my $_SESSION data, just because I did:
>>> $name = $_SESSION['name'];
>>> $name = "Fooey";
>>>
>>> $name is a STRING.
>>>
>>> It's not an object.
>>>
>>> It should *NOT* be a Reference!
>>>
>>> But it is a Reference, so changing $name alters $_SESSION['name']

Perhaps I'm being overly paranoid...

Consider the following, however.

Fact: One should not trust $_GET data, and should scrub it.

Fact: I'm on a shared server.

Fact: By definition, if *my* PHP script can read my session data, so can
*another* user's script on that server.

Thus, I had intended to 'scrub' session data with things like:

<?php
  session_start();
  $name = $_SESSION['name'];
  $name = preg_replace('/[^A-Za-z \',\\.-]/', $name);
  if ($name != $_SESSION['name']){
    // assume they are Bad People.
  }
?>

Needless to say, this isn't gonna do crap with this bug in PHP 5.0.3
making strings into references.

For the short term, I'm trusting session data (but not GET/POST, duh).

I suspect I could do:
$name = '' . $_SESSION['name'];
or somesuch to force the string to not be a reference.

But PHP doesn't *HAVE* strings as references.

I filed a bug report, but sniper's response was pretty much the same
auto-response "register_globals"

OTOH, he said it was fixed in CVS, so I guess it was only in 5.0.3???

Am I over-reacting?

I don't think so.

It's a nasty little bug that will completely bypass security measures to
scrub SESSION data, as described above.

I haven't really probed into this, to see how far / long the "reference"
nature of the string extends.

Perhaps the preg_replace would create a copy of the string...  Or not.  Or
maybe it would depend on if anything got replaced or not.  Or...

Sorry to reply so late, but I've been a tad busy lately, and just caught
up on PHP-General tonight.  [looks at watch]  Errr, make that this
morning, I guess. :-v

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux