Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

PHP import_request_variables() vs extract()
From: ascii <ascii () katamail com>
Date: Fri, 09 Mar 2007 01:11:28 +0100

Please note that also extract() will override any variable exluded
$GLOBALS but the main difference is that on http://it2.php.net/extract
you are advised to do not use "extract() against untrusted data, like
user-input ($_GET, ...)."

[quote]
if you want to run old code that relies on register_globals temporarily,
make sure you use one of the non-overwriting extract_type values such
as EXTR_SKIP and be aware that you should extract in the same order
that's defined in variables_order within the php.ini
[/quote]

Infact extract() has a EXTR_SKIP flag that implement this bhreaviuw:

[quote]
If there is a collision, don't overwrite the existing variable.
[/quote]

Using extract() with EXTR_SKIP will give you something like GLOBALS ON
that is safe if compared with what happens using extract($_GET); or
import_request_variables('G');

--- >8 --- >8 --- >8 --- >8 --- test1.php --- >8 --- >8 --- >8 --- >8

<?php
extract($_GET);
print_r($_SERVER);
?>

--- >8 --- >8 --- >8 --- >8 --- --------- --- >8 --- >8 --- >8 --- >8

Demo: test1.php?SERVER=abc
Expected result: the _SERVER array will became a string

The morale is that while an insecure usage of extract() by a developer
could be his fault there is no secure usage of
import_request_variables() and this is surely a PHP fault.

Regards,
Francesco 'ascii' Ongaro
http://www.ush.it/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • PHP import_request_variables() vs extract() ascii (Mar 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault