HTTP_RAW_POST_DATA Security Concerns?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
tomprogers
Forum Commoner
Posts: 50
Joined: Fri Mar 17, 2006 5:17 pm
Location: Minnesota
Contact:

HTTP_RAW_POST_DATA Security Concerns?

Post by tomprogers »

I'd like to recommend to the webmaster of our site that he enable the always_populate_form_post_data flag for PHP. This is to bypass what I view as a limitation in PHP's handling of variables received via URLs and forms. If you are interested in the details, first read my original post. Briefly, if PHP receives the following query string: ?var=1&var=2&var=3;, it will keep only one of the values for var: $var==3 (I think it's the last value, but I'm not sure).

As a solution, I have enabled this flag in a single directory by placing "php_flag always_populate_raw_post_data On" in my .htaccess file. I have also written a small script that can be easily included to parse the data in $HTTP_RAW_POST_DATA into an array I'm calling $_FORM. Below is the code:

Code: Select all

if(isset($HTTP_RAW_POST_DATA))
{
	$pairs = explode("&", $HTTP_RAW_POST_DATA); // break the query string up into name=value pairs
	$_FORM = array();
	foreach($pairs as $pair)
	{
		$pair = explode("=", $pair); $varname = $pair[0]; $value = urldecode($pair[1]); // split this pair and decode value
		if(!array_key_exists($varname, $_FORM)) // if this variable is not yet represented in the $_FORM array...
			$_FORM[$varname] = $value; // add it
		else
			if(is_array($_FORM[$varname])) // if this variables has already been turned into an array within $_FORM...
				array_push($_FORM[$varname], $value); // just add this value to the array
			else
				$_FORM[$varname] = array($_FORM[$varname], $value); // turn this variable into an array, preserving the pre-existing value
	}
	foreach($_FORM as $varname => $value) // turn arrays into lists, for conformity
		if(is_array($value)) $_FORM[$varname] = implode(",", $value);
}
This populates the $_FORM array with the values from the raw post data (which is a single string, stored in $HTTP_RAW_POST_DATA). At this point, $var == '1,2,3';, which the coder would be free to break into an array, or treat as a string.

I'd like to know if anyone is aware of any potential security problems posed either by enabling always_populate_raw_post_data or by using my script to parse the raw post data. Thanks very much.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

what if the incoming data is comma separated already?

e.g. var=1,3&var=6,2

you'll end up with "1,3,6,2" that can lead to security holes if the user of this isn't very careful.
tomprogers
Forum Commoner
Posts: 50
Joined: Fri Mar 17, 2006 5:17 pm
Location: Minnesota
Contact:

Post by tomprogers »

feyd wrote:what if the incoming data is comma separated already?

e.g. var=1,3&var=6,2

you'll end up with "1,3,6,2" that can lead to security holes if the user of this isn't very careful.
You are correct. However, that's a concern I always had to deal with before I switched to PHP, and I'm prepared to deal with it. I can see how it may be a sticking point for anyone who is not habituated to it the way I am.

One solution may be to encode it as: var=1%2C3,6%2C2 - escaping user-entered commas, and using literal commas as the delimiter.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That seems awfully kludgy way to get around using array notation. :? But it's your project and your sticking points so, have fun.
Post Reply