[development] filtering PHP_SELF
Gerhard Killesreiter
gerhard at killesreiter.de
Mon Feb 26 15:54:01 UTC 2007
David Caylor wrote:
> bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can
> tell without filtering. This isn't safe. Is this getting filtered
> somewhere or somehow that I'm missing?
>
> If it isn't getting filtered elsewhere, adding htmlentities to these two
> functions would be an inelegant but sufficient (for security purposes)
> fix.
>
> See here for a discussion about not trusting PHP_SELF:
> http://blog.phpdoc.info/archives/13-guid.html
>
Like any responsible software project, Drupal does have a security@
address where such concerns should be sent to. Now all we need is
responsible bug reporters...
I am not sure that the reported use of PHP_SELF is a problem.
Cheers,
Gerhard
More information about the development
mailing list