-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
is_token_user_input categorizes many variables incorrectly #37
Comments
Fair point. However, those variables, especially _FILES and _SERVER can actually have user input, so we can't really suppress them just like that. One thing that could be done would be to add a list of safe keys and skip them went not in paranoia mode. This won't be an easy task. Like Currently there's no planned big efforts to provide a better lowered false positive (like #31), but I'm sure this would be on top of any list after we solve the documentation problem (#44). I'll keep this open to be considered once we're there. Thanks |
Oh wow I'm so consistent without remembering anything it's scary. We do are using This is just an example on how it could be done, as I don't think |
The is_token_user_input function in utils blanketly categorizes $_FILES, $_SERVER, and $_ENV as direct user input. This leads to a high volume of false positives when using server generated values in these variables.
The text was updated successfully, but these errors were encountered: