[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1
Garvin Hicking
phpmyadmin at supergarv.de
Tue Nov 22 03:33:02 CET 2005
Hi!
>> But then such a file should not be included in the release, or at least
>> renamed to "test.php.txt" so that it can only be executed after being renamed?
>
> why? the lang scripts are not renamed too from .sh to .sh.txt ... and don't make
> it too hard for theme developers - probably they are not techies
.sh scripts cannot be executed through HTTP. .php Scripts can.
>> Why did Michal then fix this a day ago?
>
> i don't know, i mean it is not wrong to escape this value, but it is not really
> necessary, you can not reach the host you want if you add XSS code to the host
> in the http header ... IMHO!
That depends on the Apache setup. If you use HTTP 1.0 you can specify the Host:
Header with any content you like. Plus you might be able to pass $HTTP_HOST as a
register_global variable.
Regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
More information about the Developers
mailing list