26 Feb
2007
26 Feb
'07
4:54 p.m.
David Caylor wrote:
bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can tell without filtering. This isn't safe. Is this getting filtered somewhere or somehow that I'm missing?
If it isn't getting filtered elsewhere, adding htmlentities to these two functions would be an inelegant but sufficient (for security purposes) fix.
See here for a discussion about not trusting PHP_SELF: http://blog.phpdoc.info/archives/13-guid.html
Like any responsible software project, Drupal does have a security@ address where such concerns should be sent to. Now all we need is responsible bug reporters... I am not sure that the reported use of PHP_SELF is a problem. Cheers, Gerhard