register globals?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
ergo14
Registered User
Posts: 17
Joined: Fri Jun 18, 2004 1:10 pm
Location: Poland
Contact:

Re: register globals?

Post by ergo14 »

Graham wrote: Now back to the original topic, whilst we are not 100% decided yet on whether we will refuse to install on systems with this enabled (the inclusion at this stage was a way for me to guage the reaction from people trying it and find problems), it is quite likely that we will do so.

Now yes, it is easy to remove that check from the code, but clearly if you do so, you run at your own risk for any problems which may arise via that route
well, i think that the best option would be having during installation a BIG RED MESSAGE telling you that register globals is on and poses a security risk, and showing it in admin panell all the times.

the software should be able to run on different systems, and most of the shared environment accounts will have register_globals turned on, without the ability to disable it via htaccess or their host ( like me ) .

Cap'n Refsmmat
Registered User
Posts: 219
Joined: Tue Jan 25, 2005 11:31 pm

Re: register globals?

Post by Cap'n Refsmmat »

I thought that by default, Olympus deleted all variables created by register_globals. Doesn't that really take care of the matter?

User avatar
DavidMJ
Registered User
Posts: 932
Joined: Thu Jun 16, 2005 1:14 am
Location: Great Neck, NY

Re: register globals?

Post by DavidMJ »

Cap'n Refsmmat wrote: I thought that by default, Olympus deleted all variables created by register_globals. Doesn't that really take care of the matter?
No.
Freedom from fear

guice
Registered User
Posts: 46
Joined: Fri Oct 03, 2003 3:53 am

Re: register globals?

Post by guice »

PHP setting "register_globals" is not enabled: No
big post... dunno if this was said, but I just wanted to post that this line is confusing. Might I suggest changing it to: PHP setting "register_globals" is disabled: No.

Using a double negative like you have it makes it confusing. Using 'disabled: no' instead of 'not enabled: no' will make it much easier to comprehend.

Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: register globals?

Post by Graham »

As it currently stands, the wording is more accurate in terms of what it is doing - since it is only testing the cases where it is explicitly on :)

However thank you for the feedback, we will revisit the wording at a later date
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!

guice
Registered User
Posts: 46
Joined: Fri Oct 03, 2003 3:53 am

Re: register globals?

Post by guice »

Thanks for the post. I do want to make sure it's known that while you can say that's exactly what it's doing, your average user (probably like 80% of your current phpBB userbase) doesn't care "exactly" what it's doing. They just want to know, in simple terms, what it means.

I appreciate the the feedback you'll look at it a later time. I just wanted to make sure were I'm coming from comes across appropriately. It's about readability more than "technicality".

Cap'n Refsmmat
Registered User
Posts: 219
Joined: Tue Jan 25, 2005 11:31 pm

Re: register globals?

Post by Cap'n Refsmmat »

DavidMJ wrote: No.
Why not?

alcaeus
Registered User
Posts: 66
Joined: Sun Oct 10, 2004 3:21 am
Location: Munich (Germany)
Contact:

Re: register globals?

Post by alcaeus »

Yoda_IRC wrote: Surely a script can be written such that having register globals on won't cause a security risk? Admitidly this is alot harder with bigger apps especially due to PHP being loose typed which means a typo is a valid variable and obviously if you didn't mean to type it that way then its not going to be initilized.
Let me say something that might get people to call me stupid: Just setting register_globals to "On", is NOT a security risk. Why?

If a programmer makes sure, that every variable in his script is initalized before it is used (which is also not the case in phpBB for example; that's why they added the code to unset globals in the first place), then there is no security risk at all for that script. Something like this of course, will have problems with register_globals = On:

Code: Select all

if ($submitted_admin_password === $stored_admin_password)
{
  $is_admin = True;
}

if ($is_admin === True)
{
//...
}
However, something like this won't:

Code: Select all

$is_admin = False;
if ($submitted_admin_password === $stored_admin_password)
{
  $is_admin = True;
}

if ($is_admin === True)
{
//...
}
The problem is that many, many applications don't do this. It's just the design of PHP combined with bad programming style that causes insecure scripts, and not just some setting in php.ini ;)

Greetz
alcaeus

guice
Registered User
Posts: 46
Joined: Fri Oct 03, 2003 3:53 am

Re: register globals?

Post by guice »

You're right alcaeus. You *can* program scripts to work security with register_globals on, but that's not how I see it.

The PHP developers have been harping, pushing and telling people NOT to use register_globals for over 5 years. FIVE YEARS!

I'm actually extremely pleased to see phpBB3 will refuse to function while register_globals is enabled. This something ALL scripts (including phpBB2.x) should have done FIVE YEARS ago.

NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: register globals?

Post by NeoThermic »

alcaeus wrote: which is also not the case in phpBB for example;
In 2.0.x, yes, but in 3.0, no, phpBB 3.0 is being written to produce no notices or warnings about var's not being initiated even when running E_ALL.

The code in 2.0.x is also there to prevent people from exploting modifications in the way of your code examples. Olympus won't need this, as not only will every var be declared before use, all modifications will be required to declaire their variables or they will not pass validation (last time I checked anyway).

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

Post Reply