Bug#416262: [php-maint] Bug#416262: php4: $_SESSION overwrite by
ordinary variables in the case of register_globals = On
seanius at debian.org
Mon Mar 26 19:44:36 UTC 2007
i'm not certain, but i think this is "behaviour as designed".
my take on what is happening:
- $foo is referenced, and not found in any super-global
scope, so is created as a normal global variable. thus
first print gives nothing, and when $foo='bar', it is a
different variable than $_SESSION['foo'], so print $_SESSION['foo']
- $foo is found in super-global _SESSION scope, so all
references to $foo point to this. so print $foo gives the
same as $_SESSION['foo'] (foo), and assignments to one go
to the other. hence print _SESSION[foo] gives 'bar'
- like second time, foo is found in _SESSION, which now has
'bar', and like before assignment to $foo goes to _SESSION[foo].
if you can justify why this should be otherwise we can consider leaving
this bug open. otherwise i'll close it in some time.
but also, just FYI: debian does not recommend nor support the use of
register_globals. we do not provide security updates for most
vulnerabilities related to register_globals, and don't provide much
support for normal bugs either because of confusion from issues like
this as well as the security implications.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070326/688538d4/attachment.pgp
More information about the pkg-php-maint