[php-maint] Bug#336645: Bug 336645: PHP 4.4.1 Security Fixes

David Mitchell mitchell at ucar.edu
Fri Dec 2 18:18:39 UTC 2005

Christian Stadler wrote:
> Hash: SHA1
> David Mitchell wrote:
>>As a user, I wanted to throw my two cents in. Our security administrator
>>_is_ considering this particular fix to be critical, and has made it a
>>required patch. While it's true that this particular fix is protecting
>>against poorly written PHP scripts, it also appears to be the case that
>>such poorly written software is fairly common and is being actively
>>targeted. I also think that with this patch in PHP itself, there will be
>>a lot less pressure for any of the packages which employ unsafe variable
>>handling to actually get fixed. I know that I personally don't have a
>>lot of say on the matter, but it would be nice if the patched version
>>was released sooner. Thanks for your time.
> You can always turn off register_globals in you php.ini.
> register_globals = Off is a recommended setting anyway.

I do have it off. But there is code which basically re-implements 
register_globals. The patch actually checks to ensure that you don't try 
to re-define the global variable named "GLOBAL". I'm not worried about 
my own code, since I do my best to practice safe variable handling. 
Apparently some authors took a short cut and have re-implemented 
register_globals using code like this:

foreach ($_REQUEST as $key => $value) $$key = $value;

Is that a dangerous thing to do? Sure. But that doesn't mean it's not 
being done. As I said, it seems to be common enough that the patch to 
prevent it being dangerous has gone from being in Hardened-PHP to 
mainline PHP to having a CVE to being a mandatory patch in my 
organization. That's a lot of people who seem to think it's a serious 
issue. And as I said, if the upstream PHP is patched to prevent the 
above code from being dangerous then there is no incentive for anybody 
to fix the scripts which do have unsafe variable handling code in them.

I think an argument can be made that Sarge needs to either have the 
patch in question applied or it needs to have all the PHP-dependent 
packages checked to make sure they aren't doing unsafe things with 
request variables. The latter is not realistically going to happen 
because the PHP developers seem to have decided that the former is the 
proper fix.

Personally, I don't have a big stake in the final outcome of this. I 
don't have much PHP code on my systems, and what I do have is in-house 
stuff which was written with safe variable handling in mind. That said, 
I don't want to have to go to my security administrator and explain why 
my distro of choice needs to have an exception to our patching policy 
made for it.

-David Mitchell

> Regards,
>   Christian Stadler
> Version: GnuPG v1.4.0 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFDkIcC9250Hcbf/3IRArrOAJwMks6Iifcri/wNEkgEsGmt5jt4dwCcDqm2
> epwlnPWFlDF6MiTfeTd1SFM=
> =nGgv

| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |

More information about the pkg-php-maint mailing list