Possbile security problem with $base_url

Nope, sorry chx. :(

With this patch applied, I am unable to create UID 1:

* You must enter a username.
* You must enter an e-mail address.

Even when they are both clearly entered.

I applied the patch and tested several forms, all looks good now. +1 and RTBC.

If you run a "register globals off" emmulator from a place where any expected global is known, you could do something like this:

http://ca.php.net/manual/en/faq.misc.php#53961

Well, you need to adapt the contents of $knownglobals and remove the stuff related to $_SESSION. Probably at this point in bootstrap time session_start() has not been run yet.

Maybe something like this?

if( (bool)@ini_get('register_globals') )
{
	$superglobals = array(&$_ENV, &$_GET, &$_POST, &$_COOKIE, &$_FILES, &$_SERVER);
	$protected = array(
		//
		// PHP superglobals:
		//
		'_ENV', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER', '_SESSION', '_REQUEST',

		//
		// Global variables used by this code snippet:
		//
		'superglobals', 'protected', 'superglobal', 'global', 'void',

		//
		// Known globals defined before this code snippet is reached.
		//
		'anything here ???',
	);
	foreach( $superglobals as $superglobal )
	{
		foreach( $superglobal as $global => $void )
		{
			if( !in_array($global, $protected) )
			{
				unset($GLOBALS[$global]);
			}
		}
	}
	unset($superglobals, $protected, $superglobal, $global, $void);
}

Note this one uses & to populate $superglobals (avoids a copy of the superglobals and works in PHP4 and PHP5).

This is using Drupal coding guidelines and removed some stuff, not really necessary when running this code from within a function.

if ((bool)@ini_get('register_globals')) {
  $superglobals = array(&$_ENV, &$_GET, &$_POST, &$_COOKIE, &$_FILES, &$_SERVER);
  $protected = array(
    // PHP superglobals:
    '_ENV', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER', '_REQUEST',
    // Known globals defined before this code snippet is reached.
    'anything here ???',
  );
  foreach ($superglobals as $superglobal) {
    foreach ($superglobal as $global => $void) {
      if (!in_array($global, $protected)) {
        unset($GLOBALS[$global]);
      }
    }
  }
}

Looks like this needs some more discussion.

// we only allow uppercase letters and underscore

This code is going to unset $access_check defined on top of update.php.

What about using a constant in place of $access_check ?

Also, what about moving the "register globals off emmulator" on top of bootstrap.inc ? ie. off any other function. At that there shouldn't be any other globals than those provided by PHP itself.

Then, it doesn't matter yours or mine code snippet to do the job.

Agree?

Last, but not least. What about doing fix_gpc_magic() here as well?

This is actually invoked from common.inc::_drupal_bootstrap_full() at DRUPAL_BOOTSTRAP_FULL time. This is not done when page cache is enabled. I think that could be a problem, depending on what's being done in init/exit hooks and things like that?

Oops! '_REQUEST' needs to be added to $allowed ?

if fix_gpc_magic() was called here, it would cover the case when page cache is enabled?

Two minor bugs in the patch kept me from testing. Here's a rerolled version (files =>1, open bracket on line 141)

Looks good. I have opened another issue to discuss about fix_gpc_mafic(). :-/

Can't we unset $base_url just before settings.php is loaded? (I don't like the proposed solution.)

Does this need fixing in 4.6? If not, why not?

I don't unserstand why we fix this in conf_init() and not in a separate function similar to fix_gpc_magic().

applied