[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1
Sebastian Mendel
lists at sebastianmendel.de
Tue Nov 22 03:44:01 CET 2005
Garvin Hicking wrote:
> Hi!
>
>>> But then such a file should not be included in the release, or at least
>>> renamed to "test.php.txt" so that it can only be executed after being renamed?
>> why? the lang scripts are not renamed too from .sh to .sh.txt ... and don't make
>> it too hard for theme developers - probably they are not techies
>
> .sh scripts cannot be executed through HTTP. .php Scripts can.
depends on server configuration ...
ok, but why should we prevent this?
>>> Why did Michal then fix this a day ago?
>> i don't know, i mean it is not wrong to escape this value, but it is not really
>> necessary, you can not reach the host you want if you add XSS code to the host
>> in the http header ... IMHO!
>
> That depends on the Apache setup. If you use HTTP 1.0 you can specify the Host:
> Header with any content you like. Plus you might be able to pass $HTTP_HOST as a
> register_global variable.
mhm, PMA does not use register_globals and even deletes already
registered globals
but anyway, i will change this
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
More information about the Developers
mailing list