Mailing List Archive

> [register_globals problem]
> My questions:
> a) is there any special reason it's being done this way in Wikipedia?
> b) any chance it can be changed? If yes, what can I do to help make this
> happen (I can write the code, test it and submit a patch)

No, and yes. You'll notice I already started doing that for
SearchEngine.php. If you want to help me out with the others,
go for it. Please see that as a model.

--
Lee Daniel Crocker <lee@piclab.com> <http://www.piclab.com/lee/>
"All inventions or works of authorship original to me, herein and past,
are placed irrevocably in the public domain, and may be used or modified
for any purpose, without permission, attribution, or notification."--LDC

On Wed, 30 Apr 2003, Krzysztof Kowalczyk wrote:
> I have a question about Wikipedia code. I noticed that the way it
> accesses GET/POST variables from URL is by using global variables. There
> are two problems with that:
> - it doesn't work if register_globals options is off (which is a default
> in newer versions of PHP)

The wiki uses a number of non-standard options...

> - it is considered to be a security risk

Sure, if you use *uninitialized* global variables and assume they can only
have trusted values. Don't do that. :)

> My questions:
> a) is there any special reason it's being done this way in Wikipedia?

Force of habit.

> b) any chance it can be changed? If yes, what can I do to help make this
> happen (I can write the code, test it and submit a patch)

Sure, please send patches. $_GET / $_POST are ugly as heck, but it's
theoretically a better coding practise.

Keep in mind that a few things might work by either GET or POST
(searches; some legit bots).

-- brion vibber (brion @ pobox.com)

>> - it doesn't work if register_globals options is off (which is
>> a default in newer versions of PHP)
>
> The wiki uses a number of non-standard options...

Actually, register_globals is the only thing you have to change
in php.ini to get the wiki running.

> > - it is considered to be a security risk
>
> Sure, if you use *uninitialized* global variables and assume they
> can only have trusted values. Don't do that. :)

Hopefully. I'm not that confident that either we don't do that, or
that future coders won't do that, so I think avoiding the problem by
coding so that register_globals isn't needed is a good idea.

> > My questions:
> > a) is there any special reason it's being done this way in Wikipedia?
>
> Force of habit.

Don't forget laziness. :-)

> Sure, please send patches. $_GET / $_POST are ugly as heck, but
> it's theoretically a better coding practise.

In SearchEngine.php, I used $_REQUEST[], because I don't really
care whether the variables come from a GET or a POST.

--
Lee Daniel Crocker <lee@piclab.com> <http://www.piclab.com/lee/>
"All inventions or works of authorship original to me, herein and past,
are placed irrevocably in the public domain, and may be used or modified
for any purpose, without permission, attribution, or notification."--LDC

On Wed, 30 Apr 2003, Lee Daniel Crocker wrote:
> > The wiki uses a number of non-standard options...
>
> Actually, register_globals is the only thing you have to change
> in php.ini to get the wiki running.

You also need iconv support compiled in, although for a latin-1-only wiki
that doesn't need to interact with incoming and outgoing links in UTF-8 it
_probably_ won't get triggered.

> > Sure, if you use *uninitialized* global variables and assume they
> > can only have trusted values. Don't do that. :)
>
> Hopefully. I'm not that confident that either we don't do that, or
> that future coders won't do that, so I think avoiding the problem by
> coding so that register_globals isn't needed is a good idea.

Yup. Like overflowing your buffers: nobody does it on _purpose_. :)

> In SearchEngine.php, I used $_REQUEST[], because I don't really
> care whether the variables come from a GET or a POST.

Oh hey, I learn something new every day. :)

-- brion vibber (brion @ pobox.com)