View Issue Details

IDProjectCategoryView StatusLast Update
0000320Main CAcert Websitewebsite contentpublic2016-02-11 23:35
ReporterSourcerer Assigned Tofelixd  
PrioritynormalSeveritytweakReproducibilityalways
Status fix availableResolutionopen 
Product Version2006 
Summary0000320: Stop abusing $_REQUEST (and other special arrays)
Descriptionincludes/account.php line1918 (the if($id==36) block)
reads the data from the database, and stores the data in the
PHP global array $_REQUEST:

$_REQUEST['general'] = $row['general'];

so that it can later be read from the $_REQUEST array in the pages/account/36.php:
<? if($_REQUEST['general']) echo " checked";

This is an abuse of the $_REQUEST array, which might break in newer versions of PHP. (eg. it might not be writeable in the future anymore)
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

felixd

2014-06-15 09:23

updater   ~0004833

Last edited: 2014-06-17 13:30

A command similar to:

grep -r --color=auto "\$_\(REQUEST\|POST\|GET\)\(\[[^]]\+\]\)\+ \?= \?[^=]" pages www includes

might help to determine the loctions.

felixd

2014-06-17 14:30

updater   ~0004845

I pushed some patches (mainly the small files except includes/account.php)
that stop writing to one of these variables here:

https://github.com/yellowant/cacert-devel/tree/bug-320

Issue History

Date Modified Username Field Change
2006-08-30 03:57 Sourcerer New Issue
2013-01-07 15:23 Werner Dworak Status new => needs work
2014-06-15 09:23 felixd Note Added: 0004833
2014-06-17 13:30 felixd Note Edited: 0004833
2014-06-17 14:30 felixd Note Added: 0004845
2016-02-11 23:35 BenBE Assigned To => felixd
2016-02-11 23:35 BenBE Status needs work => fix available
2016-02-11 23:35 BenBE Product Version => 2006