Geek Answers Handbook

Search for PHP scripts requiring register_globals

I inherited a web server filled with code that requires register_globals . Most of them are user code written by random people who have come and gone over the years. I fixed most of them in scripts that I know about, but my problem is finding those that I don't know about.

I am considering writing a scanning application through each directory on a web server to identify PHP scripts that require register_globals . Is there a good strategy for this?

One of the methods that I examined involves somehow forcing PHP to report all errors, execute scripts, and check for undefined notifications. I could create an application that reads the STDERR stream for this.

Are there any better methods you can think of?

+8
php register-globals
source share
5 answers

Most IDEs will show you undefined variables, PHPStorm , for example. You can let it scan all of your source files, and you will be notified of undefined variables in all of your code, its actual execution being executed.

This is probably the easiest and most painless option. Alternatively, you could write your own script using the Tokenizer and identify all T_VARIABLE s that have not previously been initialized with T_VARIABLE '=' expr . But it will be more error prone. Using an IDE is likely to give you better results with less effort.

+6
source share

Assuming that individual files always use or cannot use register_globals, you can create a list of all the names of the form elements that are passed to the script, and then check this script if it uses $fieldname without the contents of $_REQUEST['fieldname'] (or arrays $_POST , $_GET ).

Your "check notifications" method will be approved if you can guarantee a very high code coverage when performing these checks (to make sure that you haven't missed anything - the uncovered parts must be checked manually).

+3
source share

When checking your logs for symptoms of scripts written in anticipation of global wars, it might be helpful to read through code is the only way to do this. If you want to automate this, you will need to build or rely on the PHP interpreter; otherwise you are destined to skip material embedded in conditions, potential ratings, etc.

+2
source share

There is a way to detect the use of register globals , which are strings in running code. You can create the following script and use the PHP auto_prepend_file option to add it to existing code.

 <?php class revealGlobalsUsage { public $globalName; public $globalVal; public function __construct($name, $val) { $this->globalName = $name; $this->globalVal = $val; } public function __toString() { $backtrace = debug_backtrace(); // log backtrace here... return $this->globalVal; } } // overwrite globals that have been set from GET and POST requests foreach ($_REQUEST as $name => $val) { // Strings that are cast to integers will fail as there // is no __toString equivalent for integers/bool/float etc. if (is_string($val) && !is_numeric($val)) { $GLOBALS[$name] = new revealGlobalsUsage($name, $val); } // You can log all GET/POST requests here... }

For integers, etc. you will need to fix your PHP: https://gist.github.com/ircmaxell/1966809

+1
source share

I ran into this problem in a huge code base with thousands of files. Inspired by the solution posted by @sschueller, I tested this auto_prepend_file code that logs cases for investigation. This method should also be used in conjunction with parsing / tokenization to catch all occurrences.

 <?php $vars = get_defined_vars(); foreach ($vars as $var => $value) { if (in_array($var, array('$_SERVER', '$_REQUEST', '$_GET', '$_POST', '$_COOKIE', '$_SESSION', '$_FILES', '$_ENV'))) { // only examine the local symbols, not superglobals continue; } if (array_key_exists($var, $_REQUEST) && $value == $_REQUEST[$var]) { error_log(sprintf("register_globals reliance detected in %s for variable %s=%s", $_SERVER['SCRIPT_FILENAME'], $var, $value), 3, "/var/tmp/register_globals.log"); } }
+1
source share

More articles:


All Articles