officially remove Mantis' reliance on register_globals

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@1687 f5dc347c-c33d-0410-90a0-b07cc1902cb9

admin/admin_check.php

@@ -126,20 +126,6 @@ function print_yes_no( $p_result ) {
 		}
 	?>
 </tr>
-<!-- PHP Setup check -->
-<tr>
-	<td bgcolor="#ffffff">
-		register_globals should be set to On or 1
-	</td>
-	<?php
-		$test_val = ini_get( "register_globals" );
-		if ( ( 1 == $test_val ) || ( "On" == $test_val ) ) {
-			print_test_result( GOOD );
-		} else {
-			print_test_result( BAD );
-		}
-	?>
-</tr>
 <?php # ---- Windows ? ---- 
 if (substr(php_uname(), 0, 7) == 'Windows') {
 ?>
@@ -193,6 +179,27 @@ function print_yes_no( $p_result ) {
 </table>
 
 </p>
+
+<!-- register_globals check -->
+<?php
+	$t_register_globals = ini_get( 'register_globals' );
+	if ( 'off' != $t_register_globals || $t_register_globals ) { ?>
+		<table width="100%" bgcolor="#222222" border="0" cellpadding="20" cellspacing="1">
+		<tr>
+			<td bgcolor="#ffcc22">
+				<span class="title">WARNING - register_globals - WARNING</span><br /><br />
+
+				You have register_globals enabled in PHP, which is considered a security risk.  Since version 0.18, Mantis has no longer relied on register_globals being enabled.  PHP versions later that 4.2.0 have this option disabled by default.  For more information on the security issues associated with enabling register_globals, see <a href="http://www.php.net/manual/en/security.registerglobals.php">this page</a>.
+
+				If you have no other PHP applications that rely on register_globals, you should add the line <pre>register_globals = Off</pre> to your php.ini file;  if you do have other applications that require register_globals, you could consider disabling it for your Mantis installation by adding the line <pre>php_value register_globals off</pre> to a <tt>.htaccess</tt> file or a <tt>&lt;Directory&gt;</tt> or <tt>&lt;Location&gt;</tt> block in your apache configuration file.  See the apache documentation if you require more information.
+			</td>
+		</tr>
+		</table>
+
+		<br /><?php
+	}
+?>
+
 <?php # ---- Uploads ? ---- ?>
 <table width="100%" bgcolor="#222222" border="0" cellpadding="20" cellspacing="1">
 <tr>

core/php_api.php

@@ -6,7 +6,7 @@
 	# See the files README and LICENSE for details
 
 	# --------------------------------------------------------
-	# $Id: php_api.php,v 1.4 2002-09-17 20:12:29 jfitzell Exp $
+	# $Id: php_api.php,v 1.5 2002-12-29 10:58:09 jfitzell Exp $
 	# --------------------------------------------------------
 
 	###########################################################################
@@ -67,16 +67,6 @@ function php_version_at_least( $p_version_string ) {
 		}
 	}
 
-	# @@@ Experimental
-	# deal with register_globals being Off
-	# @@@ NOTE we want to get rid of this once we start getting all
-	#      our GPC variables with functions.  In fact we may want to
-	#      turn off register_global_variables if we can
-	if ( false == ini_get( 'register_globals' ) ) {
-		extract( $_REQUEST );
-		extract( $_SERVER );
-	}
-
 	########################
 	# PHP Constants
 	########################

doc/ChangeLog

@@ -135,6 +135,7 @@ Mantis ChangeLog
  * New config option (store_reminders): controls whether to store sent reminders as a bugnote
  * New config option (bug_reminder_threshold): the access level required to send reminders
  * New config option (reminder_recipents_monitor_bug): To automatically add recipients of bug reminders to the monitor list of the defect.  This is done if the access level is greater than or equal to monitor threshold and the recipient is not the handler or the reporter.
+ * Security fix: Mantis no longer relies on register_globals being turned on
 
 2002.08.23  -  0.17.5
  * Corrected bug_delete.php and bug_delete_page.php, which ignored the $g_allow_bug_delete_access_level setting.

doc/TROUBLESHOOTING

@@ -23,11 +23,6 @@ or messages.
 	either reinstall or manually convert passwords over to another supported
 	encryption system.
 
-	SOLUTION 3: You do not have register_globals enabled. Set this to On in
-	your php.ini file.
-
-	http://www.php.net/manual/en/configuration.php#ini.register-globals
-
 	SOLUTION 4: You do not have cookies enablewd in your browser.  You must
 	have cookies enabled.  Sometimes, especially after an upgrade, you may
 	have to delete your previous cookies.

doc/configuration.html

@@ -1271,14 +1271,6 @@ <h2>Content</h2>
 		Time page loads.  Shows at the bottom of the page.
 	</td>
 </tr>
-<tr>
-	<td width="20%" bgcolor="#ddddff">
-		$g_register_globals
-	</td>
-	<td width="80%" bgcolor="#ffffff">
-		Experimental.  If your register_globals is Off then set this to OFF.  Check your register_globals setting in php.ini or phpinfo().
-	</td>
-</tr>
 <tr>
 	<td colspan="2" bgcolor="#eeeeee">
 		&nbsp;