[wp-trac] [WordPress Trac] #10360: $_REQUEST's slashes may differ from $_GET/$_POST

WordPress Trac wp-trac at lists.automattic.com
Fri Jul 10 22:47:13 UTC 2009 

#10360: $_REQUEST's slashes may differ from $_GET/$_POST
--------------------------+-------------------------------------------------
 Reporter:  dd32          |       Owner:  ryan                    
     Type:  defect (bug)  |      Status:  new                     
 Priority:  normal        |   Milestone:  2.8.2                   
Component:  Security      |     Version:  2.9                     
 Severity:  normal        |    Keywords:  needs-patch dev-feedback
--------------------------+-------------------------------------------------

Comment(by vladimir_kolesnikov):

 Replying to [comment:12 Denis-de-Bernardy]:
 >  - http://us.php.net/manual/en/ini.core.php#ini.variables-order and its
 note on S meaning ES

 This only affects $_SERVER - that is, $_SERVER will always have $_ENV
 array merged in.

 See http://blog.sjinks.org.ua/p.php (screenshot:
 https://url.odesk.com/bw6ig) - the server has variables_order set to EGPCS
 but $_REQUEST still contains only $_GET + $_POST + $_COOKIE.

 variables_order affects which superglobals are created, the order how
 G/P/C are put into _REQUEST and the order in which E/G/P/C/S get imported
 into the global namespace if register_global is on.


 > http://us.php.net/manual/en/ini.core.php#ini.request-order

 "This directive describes the order in which PHP registers GET, POST and
 Cookie variables into the _REQUEST array" - the manual does not mention
 any other superglobals.

 Also http://us.php.net/manual/en/reserved.variables.request.php: "When
 running on the command line, this will not include the argv and argc
 entries; these are present in the $_SERVER array." - this explicitly
 states that $_SERVER is not a part of $_REQUEST.

 Finally, if you take a look at main/php_variables.c in the PHP source (you
 need the function named php_auto_globals_create_request), you'll see it
 never uses anything else but G/P/C (screenshot:
 https://url.odesk.com/1eo0y).

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10360#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list