[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1

Sebastian Mendel lists at sebastianmendel.de
Tue Nov 22 03:44:01 CET 2005

Garvin Hicking wrote:
> Hi!
>>> But then such a file should not be included in the release, or at least
>>> renamed to "test.php.txt" so that it can only be executed after being renamed?
>> why? the lang scripts are not renamed too from .sh to .sh.txt ... and don't make
>> it too hard for theme developers - probably they are not techies
> .sh scripts cannot be executed through HTTP. .php Scripts can.

depends on server configuration ...
ok, but why should we prevent this?

>>> Why did Michal then fix this a day ago?
>> i don't know, i mean it is not wrong to escape this value, but it is not really
>> necessary, you can not reach the host you want if you add XSS code to the host
>> in the http header ... IMHO!
> That depends on the Apache setup. If you use HTTP 1.0 you can specify the Host:
> Header with any content you like. Plus you might be able to pass $HTTP_HOST as a
> register_global variable.

mhm, PMA does not use register_globals and even deletes already 
registered globals

but anyway, i will change this

Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list