register_globals is enabled [#754868]

I was trying to install a test installation om Drupal 7. Can't make it pass the "Verify requirements" step.

"register_globals is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when register_globals is enabled. The PHP manual has instructions for how to change configuration settings."

I am hosted at one of Swedens best hosting companies. The have register_globals is enabled. How can I convince them to turn it off? Why is this so important to Drupal that I can't even install Drupal? This is a complete show-stopper for me.

Comments

Comment #1

joecanti commented 27 March 2010 at 16:59

Comment #2

joecanti commented 27 March 2010 at 16:59

I get that with Drupal 6 on Hostgator - and Hostgator is a very good host in my opinion. I just turn it off - its easy to do yourself if you have access to php.ini - if your host has cPanel there is a Quick config for php.ini where you can just turn the button off - if not you can ask your host to turn it off in the php.ini file. I've no idea why it causes a security risk, but i dont think its just D7.

Are you new to Drupal or have you been using D6 on the same host?

hope this helps, Joe

Comment #3

Boletus commented 27 March 2010 at 17:41

I use drupal 6, yes. And version 5.

I have no cPanel. They have their own control panel. I have contacted the hosting support but they haven't replied. Tried to use my own php.ini file but that did not work.

Comment #4

joecanti commented 27 March 2010 at 19:38

Have you looked at this post: http://drupal.org/node/210311

There might be a way to get round it by adding a line to your htaccess. There are also some other solutions there.

Comment #5

Boletus commented 28 March 2010 at 10:31

Yes thanks, I disabled the globals check in the system.install file. I do feel that this Drupal 7 install show stopper is a bit over-nervous from the developers. I was only trying to test drive the dev version of Drupal. If I don't write unsecure code additions to the Drupal files, there can't surely be any security risks? Or is Drupal 7 written in a way that makes it more vulnerable than other software in a PHP environment where register globals is set to ON?

Comment #6

joecanti commented 28 March 2010 at 19:06

Glad you got to the bottom of it.

i think given the popularity of Drupal, the diverseness of websites produced and the amount of people who will try to hack it they probably have good reason to want register globals off.

I mean, if someone discovers a flaw in the system just think how many thousands of websites they'd have access to, so I'm glad the Drupal coders do all they can when it comes to security. Doesnt matter if you're testing the dev version or running a huge website - the security has to be the same across the board.

Comment #7

flefle commented 15 December 2011 at 19:52

Status:

Active

» Fixed

NEVER HACK THE CORE. You might read that before. First make sure that you can provide your basic Drupal the necessary basic platform and than install it. Yes register globals is a security setting. You can set your apache with php.ini, control panel or ini_set(); (or another shell script).

Issue automatically closed.

Comment #8

29 December 2011 at 20:00

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #9

baitoan.com commented 27 March 2012 at 03:40

Version:	7.0-alpha3	» 7.x-dev
Assigned:	Unassigned	» baitoan.com
Issue tags:		+register_globals

I figured out the register_globals on drupal installation source, even when the installed modules and themes still like the old status
the way you tried to use this lightly

/ public_html / my_site / modules / system / system.install

find the line

if (! empty ($ register_globals) && strtolower ($ register_globals)! = 'off') {

and replaced with

/ / if (! empty ($ register_globals) && strtolower ($ register_globals)! = 'off') {
if (baitoan.com) {

you have no idea what

Comment #10

anil_89 commented 16 September 2013 at 12:51

you can reslove this problem by following these few step:

path : /drupal_core/modules/system/system.install

comment some some
/*
if (!empty($register_globals) && strtolower($register_globals) != 'off') {
$requirements['php_register_globals']['description'] = $t('register_globals is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when register_globals is enabled. The PHP manual has instructions for how to change configuration settings.');
$requirements['php_register_globals']['severity'] = REQUIREMENT_ERROR;
$requirements['php_register_globals']['value'] = $t("Enabled ('@value')", array('@value' => $register_globals));
}
else {
$requirements['php_register_globals']['value'] = $t('Disabled');
}*/
after refresh page

Comment #11

Kakoma commented 5 April 2014 at 03:18

Issue summary:

View changes

For most shared hosting environments, having a copy of php.ini file in your public_html directory works. A great way to do this is by copying the hosting company's copy

  system("cp /path/to/php/conf/file/php.ini  /home/yourusername/public_html/php.ini");

Get /path/to/php/conf/file/php.ini by running phpinfo(); in a file. Then in your ini file, turn register_globals off

register_globals is enabled