lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 09 Mar 2007 01:11:28 +0100
From: ascii <>
Subject: PHP import_request_variables() vs extract()

Please note that also extract() will override any variable exluded
$GLOBALS but the main difference is that on
you are advised to do not use "extract() against untrusted data, like
user-input ($_GET, ...)."

if you want to run old code that relies on register_globals temporarily,
make sure you use one of the non-overwriting extract_type values such
as EXTR_SKIP and be aware that you should extract in the same order
that's defined in variables_order within the php.ini

Infact extract() has a EXTR_SKIP flag that implement this bhreaviuw:

If there is a collision, don't overwrite the existing variable.

Using extract() with EXTR_SKIP will give you something like GLOBALS ON
that is safe if compared with what happens using extract($_GET); or

--- >8 --- >8 --- >8 --- >8 --- test1.php --- >8 --- >8 --- >8 --- >8


--- >8 --- >8 --- >8 --- >8 --- --------- --- >8 --- >8 --- >8 --- >8

Demo: test1.php?SERVER=abc
Expected result: the _SERVER array will became a string

The morale is that while an insecure usage of extract() by a developer
could be his fault there is no secure usage of
import_request_variables() and this is surely a PHP fault.

Francesco 'ascii' Ongaro

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists