[nycphp-talk] $_SERVER['PHP_SELF'} not working?
csnyder
chsnyder at gmail.com
Thu Jul 21 10:43:53 EDT 2005
On 7/21/05, George Schlossnagle <george at omniti.com> wrote:
>
> My example was flawed, but the same case still works. Apache allows
> the use of '/' as an IFS, so you can do
>
> http://www.example.com/index.php/$BAD_STUFF_HERE and it will appear
> in full form in PHP_SELF.
Ah, now we're getting somewhere. So the BAD_STUFF would include %0D%0A
(\r\n) followed by some other HTTP headers.
http://www.example.com/index.php/foo%0D%0ALocation%3A%20http...
Sounds like $_SERVER['SCRIPT_NAME'] is definitely the way to go here,
or at least strip any newlines out of PHP_SELF.
More information about the talk
mailing list