List Info

Thread: filtering PHP_SELF
filtering PHP_SELF
country flaguser name
United States		 2007-02-26 09:20:52 
bootstrap uses PHP_SELF in conf_init and request_uri, as far
as I can 
tell without filtering.  This isn't safe.  Is this getting
filtered 
somewhere or somehow that I'm missing?

If it isn't getting filtered elsewhere, adding htmlentities
to these two 
functions would be an inelegant but sufficient (for security
purposes) 
fix.

See here for a discussion about not trusting PHP_SELF:
http://
blog.phpdoc.info/archives/13-guid.html
Re: filtering PHP_SELF
country flaguser name
Germany		 2007-02-26 09:54:01 
David Caylor wrote:
> bootstrap uses PHP_SELF in conf_init and request_uri,
as far as I can 
> tell without filtering.  This isn't safe.  Is this
getting filtered 
> somewhere or somehow that I'm missing?
> 
> If it isn't getting filtered elsewhere, adding
htmlentities to these two 
> functions would be an inelegant but sufficient (for
security purposes) 
> fix.
> 
> See here for a discussion about not trusting PHP_SELF:
> http://
blog.phpdoc.info/archives/13-guid.html
> 

Like any responsible software project, Drupal does have a
security 
address where such concerns should be sent to. Now all we
need is 
responsible bug reporters...

I am not sure that the reported use of PHP_SELF is a
problem.

Cheers,
	Gerhard
Re: filtering PHP_SELF
user name
 2007-02-27 06:37:28 

  


  

    Looks to me like it is dependent on which version of PHP is being used. ; Older versions running Drupal might still be vulnerable.  Using PHP 4.3.10, I was not able to duplicate any of the example XSS attacks.



  

  
  
   
     
    






 [1-3]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )