On Thu, Jul 14, 2005 at 07:10:30PM +0200, Martin Schulze wrote: > Sean Finney wrote: > > i guess i didn't in the email updating this, but did so in sanitize.php > > itself: > > Yes, I saw that later. I hope, my tone wasn't too harsh.
my skin is fairly thick :)
> Yes, but the woody version does not use $_GET *anywhere* except in
> the alleged sanitising code you included. It uses $foo instead of
> $_GET["foo"] all the time, which means for me - if I'm not mistaken -
> that we should use either $foo or $_REQUEST["foo"] in the sanitising
> code.
yes. we could either pass the variable names as strings and
dereference them (like $$name), or use $_REQUEST, which i'm
fairly sure will have the same effect.
> > if any of them have bad values. that would make the patch even
> > simpler.
>
> It seems to me that running them on $_REQUEST only is sufficient. Or
> do you know of a possibility that $foo can include something which is
> not in $_REQUEST when inserted via GET/POST/cookie/$whatever?
if the supposition is true that $_REQUEST is set in the same order
as variables set via register_globals, then no further checks would
be necessary. i'm fairly certain this is the case.
> > how does that sound?
>
> Good.
>
> However, as I don't like the "next week" part too much, I'll try to
> work on the update on my own and send you the diff for comments.
> Should reduce the time you need to spend on the issue as well.
okay, that would be appreciated. i'm really busy in the next 4-5 days
as i'm trying to get my wordly possessions sorted and packed in
preparation for moving out of the country...
On Fri, Jul 15, 2005 at 04:15:22PM +0200, Martin Schulze wrote:
> > However, as I don't like the "next week" part too much, I'll try to
> > work on the update on my own and send you the diff for comments.
> > Should reduce the time you need to spend on the issue as well.
>
> Ok, here is an update.
i'll try and set some time aside tonight or tomorrow to test, but
it looks good from an initial glance.
sean
--
signature.asc
Description: Digital signature
