[pmwiki-users] Custom PageVariables from request strings: critical vulnerability

Petko Yotov 5ko at 5ko.fr
Mon Feb 29 06:19:56 CST 2016


On 2016-02-29 12:54, Oliver Betz wrote:
> Petko Yotov wrote:
> 
>>  the recipe "HttpVariables" provides access to request strings
> 
> it doesn't offer a method to access have a get /or/ post parameter in a
> single PTV as I had in:
> 
> $FmtPV['$foo'] = 'isset($_GET["foo"]) ? $_GET["foo"] : @$_POST["foo"]';
> 
> The markup {$!foo} is stated "might not be reliable", the documentation
> is somewhat fuzzy in this respect: "{$!request_var} may produce
> different results under different php.ini configurations."

Yes, this depends on the php.ini variable request_order, see:

   http://php.net/manual/en/ini.core.php#ini.request-order


> I think I will make my own solution based on HttpVariables.
> 
> BTW: Is the code cited above secure because it's in single quotes?

The above code is not vulnerable to the specific exploits that target 
the code I mentioned previously.

Petko



More information about the pmwiki-users mailing list