Todo #15893
closed
Limit PHP request order processing to only GET and POST
100%
Description
Currently pfSense software does not define a value for request_order in php.ini, so it defaults to variables_order which is set to "GPCS". This sets $_REQUEST values first from GET parameters, then POST parameters, then cookie values, then session data.
There do not appear to be any areas in pfSense software base code or packages which utilize $_REQUEST for anything other than GET or POST, so it should be safer to limit the request order to only GET and POST.
This should also address issues users have seen with cookie data interfering in the past, such as #11268, which should be re-tested after this change.
Related issues
Updated by Jim Pingle 11 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 738f647c453a8995c6b411f91efb66c17a0d6c11.
Updated by Jim Pingle 11 months ago
- Plus Target Version changed from 25.01 to 25.03
Updated by Jim Pingle 11 months ago
- Status changed from Feedback to Resolved
Working as expected in latest snapshots, $_REQUEST is only populated with data from GET or POST, cookie values are ignored.
Updated by Jim Pingle 11 months ago
- Related to Bug #11268: Cookie named ``id`` prevents some forms from being loaded or saved properly added
Updated by Jim Pingle 4 months ago
- Plus Target Version changed from 25.03 to 25.07