[pmwiki-users] Custom PageVariables from request strings: critical vulnerability

Petko Yotov 5ko at 5ko.fr
Mon Feb 29 06:19:56 CST 2016

On 2016-02-29 12:54, Oliver Betz wrote:
> Petko Yotov wrote:
>>  the recipe "HttpVariables" provides access to request strings
> it doesn't offer a method to access have a get /or/ post parameter in a
> single PTV as I had in:
> $FmtPV['$foo'] = 'isset($_GET["foo"]) ? $_GET["foo"] : @$_POST["foo"]';
> The markup {$!foo} is stated "might not be reliable", the documentation
> is somewhat fuzzy in this respect: "{$!request_var} may produce
> different results under different php.ini configurations."

Yes, this depends on the php.ini variable request_order, see:


> I think I will make my own solution based on HttpVariables.
> BTW: Is the code cited above secure because it's in single quotes?

The above code is not vulnerable to the specific exploits that target 
the code I mentioned previously.


More information about the pmwiki-users mailing list