Project

General

Profile

Actions
Copy link

Todo #15893

closed

Limit PHP request order processing to only GET and POST

Added by Jim Pingle 12 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
PHP Interpreter
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.07
Release Notes:
Default

Description

Currently pfSense software does not define a value for request_order in php.ini, so it defaults to variables_order which is set to "GPCS". This sets $_REQUEST values first from GET parameters, then POST parameters, then cookie values, then session data.

There do not appear to be any areas in pfSense software base code or packages which utilize $_REQUEST for anything other than GET or POST, so it should be safer to limit the request order to only GET and POST.

This should also address issues users have seen with cookie data interfering in the past, such as #11268, which should be re-tested after this change.

Related issues

Related to Bug #11268: Cookie named ``id`` prevents some forms from being loaded or saved properlyResolvedJim Pingle01/20/2021

Actions
Actions
Copy link

Also available in: Atom PDF