HTTP_RAW_POST_DATA Security Concerns?
Posted: Tue Mar 21, 2006 12:26 pm
I'd like to recommend to the webmaster of our site that he enable the always_populate_form_post_data flag for PHP. This is to bypass what I view as a limitation in PHP's handling of variables received via URLs and forms. If you are interested in the details, first read my original post. Briefly, if PHP receives the following query string: ?var=1&var=2&var=3;, it will keep only one of the values for var: $var==3 (I think it's the last value, but I'm not sure).
As a solution, I have enabled this flag in a single directory by placing "php_flag always_populate_raw_post_data On" in my .htaccess file. I have also written a small script that can be easily included to parse the data in $HTTP_RAW_POST_DATA into an array I'm calling $_FORM. Below is the code:
This populates the $_FORM array with the values from the raw post data (which is a single string, stored in $HTTP_RAW_POST_DATA). At this point, $var == '1,2,3';, which the coder would be free to break into an array, or treat as a string.
I'd like to know if anyone is aware of any potential security problems posed either by enabling always_populate_raw_post_data or by using my script to parse the raw post data. Thanks very much.
As a solution, I have enabled this flag in a single directory by placing "php_flag always_populate_raw_post_data On" in my .htaccess file. I have also written a small script that can be easily included to parse the data in $HTTP_RAW_POST_DATA into an array I'm calling $_FORM. Below is the code:
Code: Select all
if(isset($HTTP_RAW_POST_DATA))
{
$pairs = explode("&", $HTTP_RAW_POST_DATA); // break the query string up into name=value pairs
$_FORM = array();
foreach($pairs as $pair)
{
$pair = explode("=", $pair); $varname = $pair[0]; $value = urldecode($pair[1]); // split this pair and decode value
if(!array_key_exists($varname, $_FORM)) // if this variable is not yet represented in the $_FORM array...
$_FORM[$varname] = $value; // add it
else
if(is_array($_FORM[$varname])) // if this variables has already been turned into an array within $_FORM...
array_push($_FORM[$varname], $value); // just add this value to the array
else
$_FORM[$varname] = array($_FORM[$varname], $value); // turn this variable into an array, preserving the pre-existing value
}
foreach($_FORM as $varname => $value) // turn arrays into lists, for conformity
if(is_array($value)) $_FORM[$varname] = implode(",", $value);
}I'd like to know if anyone is aware of any potential security problems posed either by enabling always_populate_raw_post_data or by using my script to parse the raw post data. Thanks very much.