Le 2012-02-21 07:29, Dieter Adriaenssens a écrit :
Op 21 februari 2012 12:33 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-02-21 04:43, Michal Čihař a écrit :
Hi
all, I think we can agree on register globals being evil. So let's do radical breakage in master and remove ./libraries/grab_globals.lib.php. I know lot of things will get broken, but this is something what needs to be done for 4.0 and I think it should be done ASAP to prevent any new code using this.
So I don't give you question whether to do this, but rather when to do this with possible rationale for the choice:
right now - anyway people should be using QA_3_5 so master breakage should not matter
after releasing 3.5 - developers can focus on master after releasing 3.5
after releasing 3.5.1 - final release 3.5 will most likely bring lot of bug reports, which will need to be fixed in 3.5.1
I think that right now is a good time, before we get too busy with 3.5.1.
What do you suggest? remove the library, add a big warning to demo and then test everything?
Harsh, but effective. It might break some functionality for some time, but it probably is the fastest way. Unless there is a way of detecting every place were this register_globals is needed?
Dieter, When Michal talked about register globals, he meant that in grab_globals.lib.php, we take some variables from superglobals (except some that are in a blacklist) and make them globals, so that the other scripts can work with them.
In grab_globals.lib.php, we could output to a trace file the names of the variables that are globalized, then verify in the code where these global variables are used.
Also, I suggest to get rid of $_REQUEST, because the origin of its contents is unclear. Ideally, at every place where we refer to $_REQUEST, a comment should explain the possible origin of the contents.
What do you suggest? Only to use $_POST or $_GET instead of $_REQUEST? I don't see another way of getting the values of url variables.
Yes; it could be $_COOKIE also, see http://www.php.net/manual/en/reserved.variables.request.php.
Maybe we could create a function/class to get the value of a POST/GET variable and check the validity? I mean, if you need input from a url variable, you call the function with some parameters : variable name, allowed origin (POST, GET, COOKIE, SESSION, ...), type of data (string, bool, int, ...); and the function checks this and returns the value if it is safe. So all $_REQUEST, $_POST, $_GET, $_COOKIE, ... in the code should be replaced by a call to this function. What do you think?
I'm a little afraid about the overhead of such functions calls.
Kind regards,
Dieter
Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel