1.2.1032. Register Globals¶
register_globals
was a PHP directive that dumped all incoming variables from GET, POST, COOKIE and FILES as global variables in the called scripts.
This lead to security failures, as the variables were often used but not filtered.
Though it is less often found in more recent code, register_globals
is sometimes needed in legacy code, that haven’t made the move to eradicate this style of coding.
Backward compatible pieces of code that mimic the register_globals
features usually create even greater security risks by being run after scripts startup. At that point, some important variables are already set, and may be overwritten by the incoming call, creating confusion in the script.
Mimicking register_globals
is achieved with variables variables, extract(), parse_str() and import_request_variables() (Up to PHP 5.4).
<?php
// Security warning ! This overwrites existing variables.
extract($_POST);
// Security warning ! This overwrites existing variables.
foreach($_REQUEST as $var => $value) {
$$var = $value;
}
?>
1.2.1032.1. Suggestions¶
Avoid implementing again
register_globals
Use a container to store and access commonly used values
1.2.1032.2. Specs¶
Short name |
Security/RegisterGlobals |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Critical |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Features |
register-globals |
Examples |
|
Available in |