[development] filtering PHP_SELF

Gerhard Killesreiter gerhard at killesreiter.de
Mon Feb 26 15:54:01 UTC 2007

David Caylor wrote:
> bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can 
> tell without filtering.  This isn't safe.  Is this getting filtered 
> somewhere or somehow that I'm missing?
> If it isn't getting filtered elsewhere, adding htmlentities to these two 
> functions would be an inelegant but sufficient (for security purposes) 
> fix.
> See here for a discussion about not trusting PHP_SELF:
> http://blog.phpdoc.info/archives/13-guid.html

Like any responsible software project, Drupal does have a security@ 
address where such concerns should be sent to. Now all we need is 
responsible bug reporters...

I am not sure that the reported use of PHP_SELF is a problem.


More information about the development mailing list