#1 PHP 4.2.0 + Direct Images

open
nobody
None
5
2005-02-15
2005-02-15
Brian Enigma
No

As you may or may not know, PHP 4.2.0 and later defaults to the
"register globals" setting as disabled for security reasons. This
means you cannot directly access an incoming form variable like
"$rawURL." You instead have to use "$_REQUEST['rawURL']" or
"$_GET['rawURL']." The query string and extra path information
also follow a similar thing.

This is a patch that allows using Arbitroweb directly "out of the
box" on newer PHP installations, without having to change your
"register globals" setting (and thereby possibly compromising
security.) It should work on PHP versions back to 4.1.0 (which
looks like the time that $_REQUEST was added), but has not been
tested that far back.

This patch also includes some limited mime type checking (based
on the filename extension, if any, in the URL) for common image
formats. This means you can directly enter "http://server.com/
blah/blah/blah.jpg" into the text field and get a displayable image,
instead of a text dump of the binary data (because it has a content
type saying it is an image rather than text).

Discussion

  • Brian Enigma
    Brian Enigma
    2005-02-15

    Modern PHP + direct img patch