Any variable that a user can control, an attacker can also control and is therefore a source of an attack. This is called a "tainted" variable, and is unsafe.
When using $_SERVER
, many of the variables can be controlled. PHP_SELF
, HTTP_USER_AGENT
, HTTP_X_FORWARDED_FOR
, HTTP_ACCEPT_LANGUAGE
and many others are a part of the HTTP request header sent by the client.
Does anyone know of a "safe list" or untainted list of $_SERVER
variables?
There's no such thing as "safe" or "unsafe" values as such. There are only values that the server controls and values that the user controls and you need to be aware of where a value comes from and hence whether it can be trusted for a certain purpose.
$_SERVER['HTTP_FOOBAR']
for example is entirely safe to store in a database, but I most certainly wouldn'teval
it.As such, let's divide those values into three categories:
Server controlled
These variables are set by the server environment and depend entirely on the server configuration.
'GATEWAY_INTERFACE'
'SERVER_ADDR'
'SERVER_SOFTWARE'
'DOCUMENT_ROOT'
'SERVER_ADMIN'
'SERVER_SIGNATURE'
Partly server controlled
These variables depend on the specific request the client sent, but can only take a limited number of valid values, since all invalid values should be rejected by the web server and not cause the invocation of the script to begin with. Hence they can be considered reliable.
'HTTPS'
'REQUEST_TIME'
'REMOTE_ADDR'
*'REMOTE_HOST'
*'REMOTE_PORT'
*'SERVER_PROTOCOL'
'HTTP_HOST'
†'SERVER_NAME'
†'SCRIPT_FILENAME'
'SERVER_PORT'
‡'SCRIPT_NAME'
* The
REMOTE_
values are guaranteed to be the valid address of the client, as verified by a TCP/IP handshake. This is the address where any response will be sent to.REMOTE_HOST
relies on reverse DNS lookups though and may hence be spoofed by DNS attacks against your server (in which case you have bigger problems anyway). This value may be a proxy, which is a simple reality of the TCP/IP protocol and nothing you can do anything about.† If your web server responds to any request regardless of
HOST
header, this should be considered unsafe as well. See How safe is $_SERVER[“HTTP_HOST”]?.Also see http://shiflett.org/blog/2006/mar/server-name-versus-http-host.
‡ See https://bugs.php.net/bug.php?id=64457, http://httpd.apache.org/docs/current/mod/core.html#usecanonicalphysicalport, http://httpd.apache.org/docs/2.4/mod/core.html#comment_999
Entirely arbitrary user controlled values
These values are not checked at all and do not depend on any server configuration, they are entirely arbitrary information sent by the client.
'argv'
,'argc'
(only applicable to CLI invocation, not usually a concern for web servers)'REQUEST_METHOD'
§'QUERY_STRING'
'HTTP_ACCEPT'
'HTTP_ACCEPT_CHARSET'
'HTTP_ACCEPT_ENCODING'
'HTTP_ACCEPT_LANGUAGE'
'HTTP_CONNECTION'
'HTTP_REFERER'
'HTTP_USER_AGENT'
'AUTH_TYPE'
‖'PHP_AUTH_DIGEST'
‖'PHP_AUTH_USER'
‖'PHP_AUTH_PW'
‖'PATH_INFO'
'ORIG_PATH_INFO'
'REQUEST_URI'
(may contain tainted data)'PHP_SELF'
(may contain tainted data)'PATH_TRANSLATED'
'HTTP_'
value§ May be considered reliable as long as the web server allows only certain request methods.
‖ May be considered reliable if authentication is handled entirely by the web server.
The superglobal
$_SERVER
also includes several environment variables. Whether these are "safe" or not depend on how (and where) they are defined. They can range from completely server controlled to completely user controlled.In PHP every
$_SERVER
variable starting withHTTP_
can be influenced by the user. For example the variable$_SERVER['HTTP_REINERS']
can be tainted by setting the HTTP headerREINERS
to an arbitrary value in the HTTP request.