note if you're doing this (good idea, btw), I should finish the
openevent cleanup to just be a url instead of the form stuff. Let me
know before hand, I need a day or so to finish that.
Jim Hu wrote:
> As part of an overall security sweep on my server, I'm thinking of
> modifying my copy of phpicalendar to test the values of all
> user-supplied variables. I think this would involve rewriting
> init.inc.php (that's what always get's executed first, right? I would
> use the general approach described in
>
> http://phpsec.org/projects/guide/1.html#1.1
>
> where the tested variables from $_REQUEST[$key] get put into an array
> called $clean['$key'], which replaces $_POST, $_GET, or $_REQUEST where
> appropriate. This would mean modifying not only init.inc.php, but also
> all files that use superglobals directly.
>
> I don't actually think there are currently security exploits for
> phpicalendar, and I'm not sure how anyone would create one, but I've
> been feeling paranoid, and I've been doing this for all my other code.
> Any thoughts? Is there are reason not to do this? It will not be
> compatible with versions of php prior to 4.1.0.
>
> Jim Hu
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> _______________________________________________
> Phpicalendar-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel
>
|
