Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If you have register_globals on (I will be happy when PHP6 does away with that) and you do not have base_url set then someone can sneak in XSS. Fixing that is easy...
Comment | File | Size | Author |
---|---|---|---|
#29 | unset_all_6.patch | 1.06 KB | chx |
#25 | unset_all_5.patch | 796 bytes | eaton |
#24 | unset_all_4.patch | 772 bytes | chx |
#21 | unset_all_3.patch | 755 bytes | chx |
#9 | unset_all_2.patch | 717 bytes | chx |
Comments
Comment #1
chx CreditAttribution: chx commentedComment #2
chx CreditAttribution: chx commentedWell, this I found not really adequate. There are other places where I would need to think whether they can do havoc or. Instead of thinking...
Comment #3
chx CreditAttribution: chx commentedComment #4
webchickNope, sorry chx. :(
With this patch applied, I am unable to create UID 1:
* You must enter a username.
* You must enter an e-mail address.
Even when they are both clearly entered.
Comment #5
webchickComment #6
chx CreditAttribution: chx commentedComment #7
chx CreditAttribution: chx commentedthanks webchick for helping me on this issue.
Comment #8
webchickI applied the patch and tested several forms, all looks good now. +1 and RTBC.
Comment #9
chx CreditAttribution: chx commentedComment #10
markus_petrux CreditAttribution: markus_petrux commentedIf you run a "register globals off" emmulator from a place where any expected global is known, you could do something like this:
http://ca.php.net/manual/en/faq.misc.php#53961
Well, you need to adapt the contents of
$knownglobals
and remove the stuff related to $_SESSION. Probably at this point in bootstrap time session_start() has not been run yet.Comment #11
markus_petrux CreditAttribution: markus_petrux commentedMaybe something like this?
Note this one uses
&
to populate$superglobals
(avoids a copy of the superglobals and works in PHP4 and PHP5).Comment #12
markus_petrux CreditAttribution: markus_petrux commentedThis is using Drupal coding guidelines and removed some stuff, not really necessary when running this code from within a function.
Comment #13
Uwe Hermann CreditAttribution: Uwe Hermann commentedLooks like this needs some more discussion.
Comment #14
chx CreditAttribution: chx commentedSome PHP versions apparently has _GLOBALS["GLOBAL']. That needs protection too. And who knows what. I oppose markus' approach. My code works as it unsets any all-lowercase variable which happens to be the only variables we need to unset.
Comment #15
chx CreditAttribution: chx commentedThis is not minor.
Comment #16
markus_petrux CreditAttribution: markus_petrux commentedThis code is going to unset
$access_check
defined on top of update.php.Comment #17
chx CreditAttribution: chx commentedthen submit a patch. i unassigned from myself.
Comment #18
markus_petrux CreditAttribution: markus_petrux commentedWhat about using a constant in place of
$access_check
?Comment #19
markus_petrux CreditAttribution: markus_petrux commentedAlso, what about moving the "register globals off emmulator" on top of bootstrap.inc ? ie. off any other function. At that there shouldn't be any other globals than those provided by PHP itself.
Then, it doesn't matter yours or mine code snippet to do the job.
Agree?
Comment #20
markus_petrux CreditAttribution: markus_petrux commentedLast, but not least. What about doing
fix_gpc_magic()
here as well?This is actually invoked from common.inc::_drupal_bootstrap_full() at DRUPAL_BOOTSTRAP_FULL time. This is not done when page cache is enabled. I think that could be a problem, depending on what's being done in init/exit hooks and things like that?
Comment #21
chx CreditAttribution: chx commentedMarkus, we do not put code in global scope anymore. However, you were close to this version and thanks for the access_check finding.
Comment #22
markus_petrux CreditAttribution: markus_petrux commentedOops! '_REQUEST' needs to be added to
$allowed
?Comment #23
markus_petrux CreditAttribution: markus_petrux commentedif
fix_gpc_magic()
was called here, it would cover the case when page cache is enabled?Comment #24
chx CreditAttribution: chx commentedYes request is needed. No fix_gpc_magic is not needed here because it'd be too early.
Comment #25
eaton CreditAttribution: eaton commentedTwo minor bugs in the patch kept me from testing. Here's a rerolled version (files =>1, open bracket on line 141)
Comment #26
markus_petrux CreditAttribution: markus_petrux commentedLooks good. I have opened another issue to discuss about fix_gpc_mafic(). :-/
Comment #27
Dries CreditAttribution: Dries commentedCan't we unset $base_url just before settings.php is loaded? (I don't like the proposed solution.)
Does this need fixing in 4.6? If not, why not?
I don't unserstand why we fix this in conf_init() and not in a separate function similar to fix_gpc_magic().
Comment #28
chx CreditAttribution: chx commentedThe whole issue arose when Steven made $base_url optional, so 4.6 is not a problem. The patch in #1 does just the single unset, yes. But then I thought "maybe there are uninit'd globals in Drupal" and started grepping around. Then lost heart. There are a ton of globals and I did not want to check each and every of them for init. Of course, I can move the unsetter to another function, sure.
Comment #29
chx CreditAttribution: chx commentedMoved to a separate function.
Comment #30
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedapplied
Comment #31
(not verified) CreditAttribution: commented