 |
 |
 |
 |
|
|
Date: 03/15/01
- Next message: André Langhorst: "Re: [PHP-DEV] Re: Memory corruption in Zend, should we allow this?"
- Previous message: vvo <email protected>: "[PHP-DEV] PHP 4.0 Bug #9673 Updated: Relative paths in require(), require_once(), include(), include_once()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: toastyghost_ <email protected>
Operating system: Red Hat
PHP version: 4.0.4pl1
PHP Bug Type: Feature/Change Request
Bug description: Can set environment variables in the query string.
/* this is a security measure that only permits the display of the page if the referer is within the same domain as the page... if you run it with HTTP_REFERER=HTTP_HOST or a string of the host url in the query string or post a form input object called HTTP_REFERER with value of host url, it produces the same effect as if you had clicked on a link from within the site */
<?
$referer = parse_url($HTTP_REFERER);
if($referer[host]!='mydomain.com') die ('invalid host');
else{echo '<html>this is my page!!</html>';
?>
-- Edit Bug report at: http://bugs.php.net/?id=9767&edit=1-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: André Langhorst: "Re: [PHP-DEV] Re: Memory corruption in Zend, should we allow this?"
- Previous message: vvo <email protected>: "[PHP-DEV] PHP 4.0 Bug #9673 Updated: Relative paths in require(), require_once(), include(), include_once()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]