[CLUE-Tech] Apace/PHP Brain-Cramp on HTTP_REFERER?

Tue Apr 9 15:49:25 MDT 2002

On Tue, 09 Apr 2002 14:58:33 -0600
Garey Hoffman <ghoffman at sumaato.com> wrote:

> Jed,
> 
> Are you using the latest version of PHP? If so, then the following bit
> of information could help you out:
> 
> PHP has recently gone through quite a bit of changes regarding how
> certain variables are made available. The bottom line is the development
> team felt it was necessary from a security standpoint (and I personally
> think they made a wise decision). Beginning with PHP version 4.1.2, the
> default behavior of the PHP installation is to use a new syntax for
> calling standard CGI variables and other user-submitted variables. This
> behavior was introduced in PHP version 4.1.0 but the default behavior
> was the style that you were used to using up until this latest release.
> 
> You can 'turn off' this new behavior and use the old style syntax by 
> reading up here:
> 
> http://www.php.net/manual/en/security.registerglobals.php
> 
> 
> You can find out more fromthe FAQ here:
> 
> http://www.php.net/manual/en/faq.using.php#faq.using.cgi-vars
> 
> Content from above URL pasted here:
> 
> -----
> 12. I'm trying to access one of the standard CGI variables (such as 
> $DOCUMENT_ROOT or $HTTP_REFERER) in a user-defined function, and it
> can't seem to find it. What's wrong?
> Environment variables are normal global variables, so you must either 
> declare them as global variables in your function (by using "global 
> $DOCUMENT_ROOT;", for example) or by using the global variable array
> (ie, "$GLOBALS["DOCUMENT_ROOT"]".

Yes, I read all that stuff.  The example of "global $DOCUMENT_ROOT" would
apply to $HTTP_REFERER as well, no? My understanding of what I read was
that if register_globals is on, then these "named" copies of the server
variables are "global" (in PHP parlance, which is a bad parlance, if you
ask me).

Further testing, in fact, shows that $HTTP_REFERER is not set even at the
"file level" scope. And, as I mentioned earlier, using <? phpinfo() ?>
doesn't reveal it even as an array item. So, clearly, Apache isn't setting
it, or PHP isn't passing it along. I rather doubt that Apache isn't
setting it, as it looks to me like that would break lots of mod_env and
mod_rewrite code (err, wouldn't it?).

BTW, I found the problem with HTTP_POST_VARS - won't go into that one. ;-)

jed
-- 
Fight the CBDTPA: http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html

"Those who expect to reap the blessings of freedom must, like men,
 undergo the fatigue of supporting it." - Thomas Paine