Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid write access to entire $GLOBALS #6401

Open
Tracked by #6395
weirdan opened this issue Sep 4, 2021 · 2 comments
Open
Tracked by #6395

Forbid write access to entire $GLOBALS #6401

weirdan opened this issue Sep 4, 2021 · 2 comments
Labels
enhancement
Milestone
PHP 8.1

Comments

@weirdan
Copy link
Collaborator

weirdan commented Sep 4, 2021
edited

https://wiki.php.net/rfc/restrict_globals_usage

Psalm should warn whenever $GLOBALS as a whole could be modified.
@weirdan weirdan mentioned this issue Sep 4, 2021
Closed
25 tasks
@weirdan weirdan added this to the PHP 8.1 milestone Sep 4, 2021
@orklah
Copy link
Collaborator

orklah commented Sep 4, 2021

besides $_SESSION, is there another superglobal where it's legit to write on?

I'd be all for forbidding rewriting values in any superglobal (except for sessions of course)

@weirdan
Copy link
Collaborator Author

weirdan commented Sep 4, 2021

Pretty much all individual elements of superglobal arrays can be written to. E.g. $_GET['a'] = "b", $_SERVER["whatever"] = "flies" etc - basically monkey-patching them to work around code that uses superglobals. Replacing entire superglobal is also occasionally useful - e.g. unset($_GET) to force people to use PSR request instead. None of these changed in 8.1.

An option to flag superglobal access (both read and write) would be useful, but this issue is not about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
PHP 8.1
Development

No branches or pull requests
2 participants
@weirdan @orklah