Bläddra i källkod

Remove mentions to register_globals

Laurent Destailleur 5 år sedan
förälder
incheckning
6df36866e1

+ 1 - 20
build/exe/doliwamp/php.ini.install

@@ -458,16 +458,6 @@ variables_order = "GPCS"
 ; with user data.  This makes most sense when coupled with track_vars - in which
 ; case you can access all of the GPC variables through the $HTTP_*_VARS[],
 ; variables.
-;
-; You should do your best to write your scripts so that they do not require
-; register_globals to be on;  Using form variables as globals can easily lead
-; to possible security problems, if the code is not very well thought of.
-register_globals = Off
-
-; Whether or not to register the old-style input arrays, HTTP_GET_VARS
-; and friends.  If you're not using them, it's recommended to turn them off,
-; for performance reasons.
-register_long_arrays = Off
 
 ; This directive tells PHP whether to declare the argv&argc variables (that
 ; would contain the GET information).  If you don't use these variables, you
@@ -477,8 +467,7 @@ register_argc_argv = Off
 ; When enabled, the SERVER and ENV variables are created when they're first
 ; used (Just In Time) instead of when the script starts. If these variables
 ; are not used within a script, having this directive on will result in a
-; performance gain. The PHP directives register_globals, register_long_arrays,
-; and register_argc_argv must be disabled for this directive to have any affect.
+; performance gain.
 auto_globals_jit = On
 
 ; Maximum size of POST data that PHP will accept.
@@ -1101,14 +1090,6 @@ session.gc_maxlifetime = 1800
 ;       setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
 ;          cd /path/to/sessions; find -cmin +24 | xargs rm
 
-; PHP 4.2 and less have an undocumented feature/bug that allows you to
-; to initialize a session variable in the global scope, albeit register_globals
-; is disabled.  PHP 4.3 and later will warn you, if this feature is used.
-; You can disable the feature and the warning separately. At this time,
-; the warning is only displayed, if bug_compat_42 is enabled.
-
-session.bug_compat_42 = 0
-session.bug_compat_warn = 1
 
 ; Check HTTP Referer to invalidate externally stored URLs containing ids.
 ; HTTP_REFERER has to contain this substring for the session to be

+ 0 - 10
build/rpm/httpd-dolibarr.conf

@@ -29,16 +29,6 @@ Alias /dolibarr /usr/share/dolibarr/htdocs
   ErrorDocument 401 /public/error-401.php
   ErrorDocument 404 /public/error-404.php
 
-  <IfModule mod_php4.c>
-    php_flag magic_quotes_gpc Off
-    php_flag register_globals Off
-  </IfModule>
-
-  <IfModule mod_php5.c>
-    php_flag magic_quotes_gpc Off
-    php_flag register_globals Off
-  </IfModule>
-
 
     # OPTIMIZE: To use gzip compressed files (for Dolibarr already compressed files).
     # Note that constant MAIN_OPTIMIZE_SPEED must have a value with bit 0 set. 

+ 1 - 41
dev/setup/codesniffer/php.ini

@@ -658,20 +658,6 @@ html_errors = Off
 ; Example:
 ;arg_separator.input = ";&"
 
-; This directive determines which super global arrays are registered when PHP
-; starts up. If the register_globals directive is enabled, it also determines
-; what order variables are populated into the global space. G,P,C,E & S are
-; abbreviations for the following respective super globals: GET, POST, COOKIE,
-; ENV and SERVER. There is a performance penalty paid for the registration of
-; these arrays and because ENV is not as commonly used as the others, ENV is
-; is not recommended on productions servers. You can still get access to
-; the environment variables through getenv() should you need to.
-; Default Value: "EGPCS"
-; Development Value: "GPCS"
-; Production Value: "GPCS";
-; http://php.net/variables-order
-variables_order = "GPCS"
-
 ; This directive determines which super global data (G,P,C,E & S) should
 ; be registered into the super global array REQUEST. If so, it also determines
 ; the order in which that data is registered. The values for this directive are
@@ -685,15 +671,6 @@ variables_order = "GPCS"
 ; http://php.net/request-order
 request_order = "GP"
 
-; Whether or not to register the EGPCS variables as global variables.  You may
-; want to turn this off if you don't want to clutter your scripts' global scope
-; with user data.
-; You should do your best to write your scripts so that they do not require
-; register_globals to be on;  Using form variables as globals can easily lead
-; to possible security problems, if the code is not very well thought of.
-; http://php.net/register-globals
-register_globals = Off
-
 ; Determines whether the deprecated long $HTTP_*_VARS type predefined variables
 ; are registered by PHP or not. As they are deprecated, we obviously don't
 ; recommend you use them. They are on by default for compatibility reasons but
@@ -722,8 +699,7 @@ register_argc_argv = Off
 ; When enabled, the SERVER and ENV variables are created when they're first
 ; used (Just In Time) instead of when the script starts. If these variables
 ; are not used within a script, having this directive on will result in a
-; performance gain. The PHP directives register_globals, register_long_arrays,
-; and register_argc_argv must be disabled for this directive to have any affect.
+; performance gain.
 ; http://php.net/auto-globals-jit
 auto_globals_jit = On
 
@@ -1516,22 +1492,6 @@ session.gc_maxlifetime = 1440
 ;       setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
 ;          find /path/to/sessions -cmin +24 | xargs rm
 
-; PHP 4.2 and less have an undocumented feature/bug that allows you to
-; to initialize a session variable in the global scope, even when register_globals
-; is disabled.  PHP 4.3 and later will warn you, if this feature is used.
-; You can disable the feature and the warning separately. At this time,
-; the warning is only displayed, if bug_compat_42 is enabled. This feature
-; introduces some serious security problems if not handled correctly. It's
-; recommended that you do not use this feature on production servers. But you
-; should enable this on development servers and enable the warning as well. If you
-; do not enable the feature on development servers, you won't be warned when it's
-; used and debugging errors caused by this can be difficult to track down.
-; Default Value: On
-; Development Value: On
-; Production Value: Off
-; http://php.net/session.bug-compat-42
-session.bug_compat_42 = Off
-
 ; This setting controls whether or not you are warned by PHP when initializing a
 ; session value into the global space. session.bug_compat_42 must be enabled before
 ; these warnings can be issued by PHP. See the directive above for more information.

+ 2 - 2
htdocs/main.inc.php

@@ -624,7 +624,7 @@ if (! defined('NOLOGIN'))
 			session_destroy();
 			session_name($sessionname);
 			session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
-			session_start();    // Fixing the bug of register_globals here is useless since session is empty
+			session_start();
 
 			if ($resultFetchUser == 0)
 			{
@@ -681,7 +681,7 @@ if (! defined('NOLOGIN'))
 			session_destroy();
 			session_name($sessionname);
 			session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
-			session_start();    // Fixing the bug of register_globals here is useless since session is empty
+			session_start();
 
 			if ($resultFetchUser == 0)
 			{