From f975145f51fdafff2361dc4ac240587c1b562fe8 Mon Sep 17 00:00:00 2001
From: Michael M Slusarz <slusarz@curecanti.org>
Date: Thu, 31 Dec 2009 16:04:47 -0700
Subject: [PATCH] Fatally exit if register_globals is set

---
 horde/docs/CODING_STANDARDS | 13 +++----------
 horde/lib/core.php          |  8 ++------
 horde/test.php              |  4 ++++
 3 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/horde/docs/CODING_STANDARDS b/horde/docs/CODING_STANDARDS
index 162f34608..ab0a96247 100644
--- a/horde/docs/CODING_STANDARDS
+++ b/horde/docs/CODING_STANDARDS
@@ -308,15 +308,9 @@ Use ``example.com`` for all example URLs, per `RFC 2606`_.
 php.ini settings
 ================
 
-All Horde code should work with `register_globals`_ disabled.  This means
-using ``$_COOKIE``, ``$_SESSION``, ``$_SERVER`` and ``$_ENV`` to access all
-cookie, session, server and environment data, respectively.  By the same token,
-all Horde code should also work with `register_globals`_ enabled.  Since
-applications can be expected to store data in $_SESSION['application'] it is
-therefor important that applications NOT register $GLOBALS in their own
-application name.  For instance the application "foo" may create and use
-$_SESSION['foo'] but not $GLOBALS['foo'].  Failing this rule may cause problems
-on PHP installations on which `register_globals`_ is enabled.
+Horde code MUST NOT use global variables set by EGPCS (Environment, GET, POST,
+Cookie, Server) data.  Instead, the magic variables ``$_ENV``, ``$_GET``,
+``$_POST``, $_COOKIE``, and ``$_SERVER`` must be used instead.
 
 To retrieve posted data (in the global ``$_GET`` and ``$_POST`` variables),
 you should normally use `Horde_Util::getFormData()`_ which will automatically
@@ -334,7 +328,6 @@ No Horde code should assume that '.' is in the include path. Always specify
 './' in front of a filename when you are including a file in the same
 directory.
 
-.. _register_globals: http://www.php.net/manual/en/security.registerglobals.php
 .. _magic_quotes_gpc: http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc
 .. _error_reporting: http://www.php.net/manual/en/ref.errorfunc.php#ini.error-reporting
 .. _Horde_Util::getFormData(): http://dev.horde.org/api/framework/Horde_Util/Horde_Util.html#methodgetFormData
diff --git a/horde/lib/core.php b/horde/lib/core.php
index 30baa2f84..437f71128 100644
--- a/horde/lib/core.php
+++ b/horde/lib/core.php
@@ -17,13 +17,9 @@ ini_set('magic_quotes_runtime', 0);
 ini_set('zend.ze1_compatibility_mode', 0);
 ini_set('allow_url_include', 0);
 
-/* Unset all variables populated through register_globals. */
+/* Exit immediately if register_globals is active. */
 if (ini_get('register_globals')) {
-    foreach (array($_GET, $_POST, $_COOKIE, $_ENV, $_SERVER) as $var) {
-        foreach (array_keys($var) as $key) {
-            unset($$key);
-        }
-    }
+    exit('Register globals is enabled. Exiting.');
 }
 
 if (!defined('HORDE_BASE')) {
diff --git a/horde/test.php b/horde/test.php
index 1d9718d99..07dcb0492 100644
--- a/horde/test.php
+++ b/horde/test.php
@@ -151,6 +151,10 @@ $setting_list = array(
         'setting' => 'value',
         'error' => 'If PHP\'s internal memory limit is not set high enough Horde will not be able to handle large data items. You should set the value of memory_limit in php.ini to a sufficiently high value - at least 64M is recommended.'
     ),
+    'register_globals' => array(
+        'setting' => false,
+        'error' => 'Register globals has been deprecated in PHP 5. Horde will fatally exit if it is set. Turn it off.'
+    ),
     'safe_mode' => array(
         'setting' => false,
         'error' => 'If safe_mode is enabled, Horde cannot set enviroment variables, which means Horde will be unable to translate the user interface into different languages.'
-- 
2.11.0