[development] filtering PHP_SELF

David Caylor david at davidcaylor.com
Mon Feb 26 15:20:52 UTC 2007


bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can 
tell without filtering.  This isn't safe.  Is this getting filtered 
somewhere or somehow that I'm missing?

If it isn't getting filtered elsewhere, adding htmlentities to these two 
functions would be an inelegant but sufficient (for security purposes) 
fix.

See here for a discussion about not trusting PHP_SELF:
http://blog.phpdoc.info/archives/13-guid.html


More information about the development mailing list