[pmwiki-users] Custom PageVariables from request strings: critical vulnerability
Petko Yotov
5ko at 5ko.fr
Mon Feb 29 06:19:56 CST 2016
On 2016-02-29 12:54, Oliver Betz wrote:
> Petko Yotov wrote:
>
>> the recipe "HttpVariables" provides access to request strings
>
> it doesn't offer a method to access have a get /or/ post parameter in a
> single PTV as I had in:
>
> $FmtPV['$foo'] = 'isset($_GET["foo"]) ? $_GET["foo"] : @$_POST["foo"]';
>
> The markup {$!foo} is stated "might not be reliable", the documentation
> is somewhat fuzzy in this respect: "{$!request_var} may produce
> different results under different php.ini configurations."
Yes, this depends on the php.ini variable request_order, see:
http://php.net/manual/en/ini.core.php#ini.request-order
> I think I will make my own solution based on HttpVariables.
>
> BTW: Is the code cited above secure because it's in single quotes?
The above code is not vulnerable to the specific exploits that target
the code I mentioned previously.
Petko
More information about the pmwiki-users
mailing list