Slide 1

Slide 1 text

ࠓ͔ͩΒͦ͜ৼΓฦΔ register_globals 1)1FS,BJHJ 5VF ٶᅳ౉@gongoZ

Slide 2

Slide 2 text

@gongoZ github.com/gongo SmartHR, Inc. ࣗݾ঺հ

Slide 3

Slide 3 text

͋ΒΏΔ΋ͷΛ&NBDTͰ࠶ݱ͢Δͷ͕झຯͰ͢ w "/&4&NVMBUPSXSJUUFOJO&NBDT-JTQ w ϑΝϛίϯΤϛϡϨʔλʔ w IUUQTHJUIVCDPNHPOHPFNBDTOFT w *NQMFNFOU+7.CZ&NBDT w &NBDT͕+7.ʹͳΔ w IUUQTHJUIVCDPNHPOHPFNBDTKWN ࣗݾ঺հ (Con’t)

Slide 4

Slide 4 text

SFHJTUFS@HMPCBMTͱ͸Կͳͷ͔ SFHJTUFS@HMPCBMTͷੜ֔Λ௥ͬͯΈͨ SFHJTUFS@HMPCBMTແ͖ੈΛͲ͏ੜ͖Δ͔ ΞδΣϯμ

Slide 5

Slide 5 text

SFHJTUFS@HMPCBMTͱ͸

Slide 6

Slide 6 text

1)1ʙʹଘࡏ͍ͯͨ͠QIQJOJσΟϨΫςΟϒ register_globals ͱ͸? https://www.php.net/manual/ja/ini.core.php#ini.register-globals

Slide 7

Slide 7 text

register_globalsಈ࡞ྫ SFHJTUFS@HMPCBMT0⒎

Slide 8

Slide 8 text

register_globalsಈ࡞ྫ SFHJTUFS@HMPCBMT0O

Slide 9

Slide 9 text

register_globalsಈ࡞ྫ ϑΥʔϜͷ໊લ͕ ͦͷ··ม਺໊ʹ

Slide 10

Slide 10 text

register_globals ͷޭ੷ https://www.youtube.com/watch?v=wCZ5TJCBWMg&t=1339 QIQ%BZͷΩʔϊʔτl:FBSTPG1)1zͰ 3BTNVT͕SFHJTUFS@HMPCBMTʹ͍ͭͯݴٴ ʮSFHJTUFS@HMPCBMT͕ແ͚Ε͹
 ɹɹࠓͷ1)1ͷൃల͸ແ͔ͬͨʯ ʮಈతͳ8FCϖʔδͷߏஙʹ׳Ε͍ͯͳ͍ ɹɹϢʔβ͕ଟ͍࣌୅ɺϑΥʔϜ໊ͦͷ··ͷ ɹɹม਺ΛࢀরͰ͖Δͷ͸ըظతͩͬͨʯ

Slide 11

Slide 11 text

1)1ϚχϡΞϧηΩϡϦςΟάϩʔόϧม਺ͷొ࿥ػೳͷ࢖༻๏ ޫ͕͋Ε͹ҋ΋͋Δ https://www.php.net/manual/ja/security.globals.php

Slide 12

Slide 12 text

҆શͰͳ͍ίʔυྫ SFHJTUFS@HMPCBMT0⒎ https://www.php.net/manual/ja/security.globals.php

Slide 13

Slide 13 text

҆શͰͳ͍ίʔυྫ https://www.php.net/manual/ja/security.globals.php SFHJTUFS@HMPCBMT0O

Slide 14

Slide 14 text

PHP ʹؔ͢Δ༗໊ͳݴ༿ (WebArchive) IPA ηΩϡΞϓϩάϥϛϯάߨ࠲ ୈ1ষ ΑΓྑ͍WebΞϓϦέʔγϣϯઃܭͷώϯτ

Slide 15

Slide 15 text

w ✨͍͢͝ػೳ w ྑ͘΋ѱ͘΋1)1Λൃలཱͤͨ͞໾ऀ ·ͱΊ register_globals ͱ͸? ཱ໾ऀͷҰੜΛ ௥͍͔͚ͯΈ͍ͨʂʂ

Slide 16

Slide 16 text

register_globals ͷҰੜ

Slide 17

Slide 17 text

register_globalsͷҰੜ

Slide 18

Slide 18 text

C w SFHJTUFS@HMPCBMT͕࣮૷ w ͜ͷ࣌͸·ͩHQD@HMPCBMTͱ͍͏໊લͩͬͨ w (&5 1045 $00,*&͚ͩΛର৅ w ͦΕҎ֎ 4&44*0/ͱ͔ ΋ѻ͏͜ͱʹͳͬͨ ͷͰ1)1CFUBͰϦωʔϜ https://github.com/php/php-src/commit/ab16816e PHP 4.0 beta 3

Slide 19

Slide 19 text

ʙ PHP 4.0.6 ʙ೥લ൒ w ηΩϡϦςΟʹؔ͢Δ໰͍߹Θ͕ͤࡴ౸ ʮSFHJTUFS@HMPCBMT͕શ෦ѱ͍ةݥʯ ʮ໰୊ʹͳ͍ͬͯΔίʔυ͸
 ɹɹม਺ͷॳظԽ࿙ΕͳͲ؆୯ͳ΋ͷ΋͋Γɺ
 ɹɹ͜ͷઃఆΛແ͚ͩ͘͢Ͱ͸ղܾ͠ͳ͍ʯ w ͦͷޙ΋͍Ζ͍Ζ͋Γɻɻ ϝʔϦϯάϦετͷ౤ߘ 3BTNVT

Slide 20

Slide 20 text

ʙ PHP 4.0.6 (Con’t) https://marc.info/?l=php-internals&m=99638397319055&w=2 w 1)1Ҏ߱ͷ1SPQPTBMΛ3BTNVT͕ ։ൃऀϝʔϦϯάϦετʹ౤ߘ ҎԼɺཁ໿ ɹʮσϑΥϧτ͸P⒎ʹ͠·͠ΐ͏ʯ ɹʮ(&5΍1045ʹରͯ͠ ҆શ͸౰વͱͯ͠ 
 ɹɹɹखܰʹΞΫηεͰ͖Δ࢓૊Έ͸࢒͓͖͍ͯͨ͠ʯ

Slide 21

Slide 21 text

ʙ PHP 4.0.6 (Con’t) https://marc.info/?l=php-internals&m=99638397319055&w=2 w ✍1)1Ҏ߱ͷ1SPQPTBMΛ3BTNVT͕ ։ൃऀϝʔϦϯάϦετʹ౤ߘ ͜ΜͳจষͰ࢝·͍ͬͯ·ͨ͠ 5IFCFTUUIJOHBCPVU1)1JTUIBUJUIBTTVDIB TIBMMPXMFBSOJOHDVSWFUIBUOPOQSPHSBNNFST DBOXSJUFXFCBQQT 5IFXPSTUUIJOHBCPVU1)1JTUIBUJUIBTTVDI BTIBMMPXMFBSOJOHDVSWFUIBUOPO QSPHSBNNFSTXSJUFXFCBQQT WJB1SPQPTBMͷ๯಄

Slide 22

Slide 22 text

PHP 4.1.0 w ⚙εʔύʔάϩʔόϧม਺͕࣮૷ w @(&5΍@1045ͳͲ w ैདྷͷ)551@YYY@7"34ͱҧ͍ɺHMPCBMએݴͤͣʹ͢ ͙࢖͑ͯखܰ w ⚙JNQPSU@SFRVFTU@WBSJBCMFT ͕࣮૷ w SFHJTUFS@HMPCBMTͷػೳΛͪΐͬͱ҆શʹͨ͠ܗͰ࠶ݱ ͢Δؔ਺ https://www.php.net/releases/4_1_0.php

Slide 23

Slide 23 text

PHP 4.1.0 w ⚙εʔύʔάϩʔόϧม਺͕࣮૷ w @(&5΍@1045ͳͲ w ैདྷͷ)551@YYY@7"34ͱҧ͍ɺHMPCBMએݴͤͣʹ͢ ͙࢖͑ͯखܰ w ⚙JNQPSU@SFRVFTU@WBSJBCMFT ͕࣮૷ w SFHJTUFS@HMPCBMTͷػೳΛͪΐͬͱ҆શʹͨ͠ܗͰ࠶ݱ ͢Δؔ਺ https://www.php.net/releases/4_1_0.php JNQPSU@SFRVFTU@WBSJBCMFT ͷྫ https://www.php.net/manual/en/function.import-request-variables

Slide 24

Slide 24 text

PHP 4.2.0 w ⚙SFHJTUFS@HMPCBMT͕σϑΥϧτͰ0''ʹ https://www.php.net/releases/4_2_0.php

Slide 25

Slide 25 text

PHP 5.3.0 w ⚙SFHJTUFS@HMPCBMT͕%FQSFDBUFEʹ https://www.php.net/releases/5_3_0.php

Slide 26

Slide 26 text

PHP 5.4.0 w (PPECZFSFHJTUFS@HMPCBMT w Ұॹʹফ͑ͨػೳ w NBHJD@RVPUFT w TBGF@NPEF https://www.php.net/releases/5_4_0.php ⚰

Slide 27

Slide 27 text

register_globals ͸ҰੜΛऴ͕͑ͨ… C ⚰

Slide 28

Slide 28 text

register_globals ͸ҰੜΛऴ͕͑ͨ… Y ʜ ⚰ SFHJTUFS@HMPCBMT͕࢖ΘΕ͍ͯͨ ΞϓϦͷਓੜ͸ଓ͘ʂʂ

Slide 29

Slide 29 text

register_globals ͷͳ͍ ੈքͰੜ͖͍ͯͨ͘Ίʹ

Slide 30

Slide 30 text

SFHJTUFS@HMPCBMTґଘΛແ͘͠ɺ৽͍͠ਓੜΛ࢝ΊΔ w ਖ਼߈๏ Կ΋͠ͳ͍ 1)1·ͰͷΞοϓσʔτʹཹΊΔ w SFHJTUFS@HMPCBMTҎ֎ͷ੬ऑੑʹ΋ରԠͰ͖ͳ͍ SFHJTUFS@HMPCBMTΛ࠶ݱ͢ΔίʔυΛॻ͍ͯɺ1)1ͷόʔ δϣϯΛ্͛Δ w ⚔मཏͷಓ register_globals Λ࢖͍ͬͯͨ ΞϓϦ͸Ͳ͏ੜ͖࢒Ε͹͍͍͔? ͬͪ͜ͷ࿩Λ͠·͢

Slide 31

Slide 31 text

php.net Ͱௐ΂ͯΈ·ͨ͠ https://www.php.net/manual/en/faq.misc.php )PXEP*EFBMXJUIregister_globals

Slide 32

Slide 32 text

͜ͷख๏͸ؒҧ͍ͬͯ·͢ Կ͕ؒҧ͍ͬͯΔͷ͔ɺͲ͏͢Ε͹໰୊ͳ͍࠶ݱ ίʔυͳͷ͔Λ w SFHJTUFS@HMPCBMTॳڃฤ w SFHJTUFS@HMPCBMTதڃฤ w SFHJTUFS@HMPCBMT্ڃฤ Ͱݟ͍͖ͯ·͠ΐ͏

Slide 33

Slide 33 text

register_globals ͷػೳ ॳڃฤ w ࢓༷ w ରԠ தڃฤ w ࢓༷ w ରԠ ্ڃฤ w ࢓༷ w ରԠ

Slide 34

Slide 34 text

register_globals ͷػೳ ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠ தڃฤ w ࢓༷ w ରԠ ্ڃฤ w ࢓༷ w ରԠ

Slide 35

Slide 35 text

άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ ͲͬͪʹͳΔ

Slide 36

Slide 36 text

άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ ඇਪ঑ͷσΟϨΫςΟϒSFHJTUFS@HMPCBMT͕ POʹͳ͍ͬͯΔͱɺWBSJBCMFT@PSEFSͷઃ ఆ͸ɺ&/7ɺ(&5ɺ1045ɺ$00,*&͓Α ͼ4&37&3ͷ֤ม਺͕άϩʔόϧείʔϓ ʹऔΓࠐ·ΕΔॱ൪΋ࠨӈ͠·͢ɻ https://www.php.net/manual/ja/ini.core.php#ini.variables-order WBSJBCMFT@PSEFSΛߟྀ͢Δඞཁ͕͋Δ

Slide 37

Slide 37 text

άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ ඇਪ঑ͷσΟϨΫςΟϒSFHJTUFS@HMPCBMT͕ POʹͳ͍ͬͯΔͱɺWBSJBCMFT@PSEFSͷઃ ఆ͸ɺ&/7ɺ(&5ɺ1045ɺ$00,*&͓Α ͼ4&37&3ͷ֤ม਺͕άϩʔόϧείʔϓ ʹऔΓࠐ·ΕΔॱ൪΋ࠨӈ͠·͢ɻ https://www.php.net/manual/ja/ini.core.php#ini.variables-order WBSJBCMFT@PSEFSΛߟྀ͢Δඞཁ͕͋Δ WBSJBCMFT@PSEFSͷྫ

Slide 38

Slide 38 text

register_globals ͷػೳ ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠWBSJBCMFT@PSEFSʹै͏ தڃฤ w ࢓༷ w ରԠ ্ڃฤ w ࢓༷ w ରԠ

Slide 39

Slide 39 text

register_globals ͷػೳ ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠWBSJBCMFT@PSEFSʹै͏ தڃฤ w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠ ্ڃฤ w ࢓༷ w ରԠ

Slide 40

Slide 40 text

@4&44*0/ͱregister_globalsͷؔ܎

Slide 41

Slide 41 text

@4&44*0/ͱSFHJTUFS@HMPCBMTͷؔ܎

Slide 42

Slide 42 text

ηογϣϯม਺ͷΈࢀর౉͠ https://gongo.hatenablog.com/entry/2014/12/24/132841 w @(&5΍@1045ͳͲͱಉ͘͡ѻͬͯ͸ବ໨ w ͜͏͍͏ΠϝʔδͰ

Slide 43

Slide 43 text

register_globals ͷػೳ ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠWBSJBCMFT@PSEFSʹै͏ தڃฤ w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏ ্ڃฤ w ࢓༷ w ରԠ

Slide 44

Slide 44 text

register_globals ͷػೳ ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠWBSJBCMFT@PSEFSʹै͏ தڃฤ w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏ ্ڃฤ w ࢓༷@'*-&4ʹ͸ཁ஫ҙ w ରԠ

Slide 45

Slide 45 text

@'*-&4ͷ͓͞Β͍

Slide 46

Slide 46 text

@'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

Slide 47

Slide 47 text

@'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

Slide 48

Slide 48 text

@'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

Slide 49

Slide 49 text

@'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

Slide 50

Slide 50 text

@'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ https://gongo.hatenablog.com/entry/2014/10/02/211520

Slide 51

Slide 51 text

@'*-&4͕άϩʔόϧม਺ʹͳΔͱʜ ͔ͦͬͪʙ https://gongo.hatenablog.com/entry/2014/10/02/211520

Slide 52

Slide 52 text

༨ஊ https://www.php.net/manual/ja/function.extract.php SFHJTUFS@HMPCBMT͕POͷঢ়ଶͰ@'*-&4ʹ ରͯ͠FYUSBDU Λ࣮ߦͯ͠&953@4,*1Λ ࢦఆ͢Δͱɺͦͷ݁Ռʹڻ͘͜ͱͰ͠ΐ͏ɻ FYUSBDU ͷϔϧϓʹॻ͔Ε͍ͯͨϝϞ

Slide 53

Slide 53 text

༨ஊ https://www.php.net/manual/ja/function.extract.php SFHJTUFS@HMPCBMT͕POͷঢ়ଶͰ@'*-&4ʹ ରͯ͠FYUSBDU Λ࣮ߦͯ͠&953@4,*1Λ ࢦఆ͢Δͱɺͦͷ݁Ռʹڻ͘͜ͱͰ͠ΐ͏ɻ FYUSBDU ͷϔϧϓʹॻ͔Ε͍ͯͨϝϞ ڻ͍ͨʙ

Slide 54

Slide 54 text

register_globals ͷػೳ ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠWBSJBCMFT@PSEFSʹै͏ தڃฤ w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏ ্ڃฤ w ࢓༷@'*-&4ʹ͸ཁ஫ҙ w ରԠ͕Μ͹Ζ

Slide 55

Slide 55 text

register_globals ͷػೳ ॳڃฤ w ࢓༷άϩʔόϧม਺ʹϚʔδ͢Δॱ൪ w ରԠWBSJBCMFT@PSEFSʹै͏ தڃฤ w ࢓༷@4&44*0/ʹ͸஫ҙ w ରԠϦϑΝϨϯεͰ஥ྑ͘͠Α͏ ্ڃฤ w ࢓༷@'*-&4ʹ͸ཁ஫ҙ w ରԠ͕Μ͹Ζ w ͜Εશͯߟྀ͢Δͷେม w ΋͔ͨ͠͠Βଞʹ΋͋Δͷ͔ͳ w ࣗྗͰରԠ͢Δͷ͸΋͏ແཧͳΜ͡Ό ͦΜͳ͋ͳͨʹ ͪΐͬͱͨ͠࿕ใ͕

Slide 56

Slide 56 text

HPOHPNFSDJGVMQPMMVUFS w 1)1Ҏ্ͰSFHJTUFS@HMPCBMTΛ࠶ݱ͢Δ ϥΠϒϥϦ w ೥݄ݱࡏɺ1)1·Ͱಈ࡞֬ೝ w ͓·͚ͰNBHJD@RVPUFT@HQDʹ΋ରԠ w ௚༁͢Δͱ࣊൵ਂ͍Ԛછ w ͋͘·Ͱ΋ܨ͗ͱͯ͠ߟ͑Δ΂͖ w 1)1όʔδϣϯΞοϓΛ࠷༏ઌʹʂ https://github.com/gongo/merciful-polluter

Slide 57

Slide 57 text

·ͱΊ

Slide 58

Slide 58 text

w SFHJTUFS@HMPCBMTͬͯ΍ͬͺ͍͢͝ʂ w ͍ΖΜͳҙຯͰ w SFHJTUFS@HMPCBMT͕ᐫͱͳ͍ͬͯͯ1)1 ΞοϓσʔτͰ͖ͳ͍ਓɺఘΊͳ͍Ͱʂ w Ͳ͏ʹ͔ͳΓ·͢ ·ͱΊ

Slide 59

Slide 59 text

w 1)1ϚχϡΞϧ w IUUQTXXXQIQOFUNBOVBMKBJOEFYQIQ w 1)1ιʔείʔυ w IUUQTHJUIVCDPNQIQQIQTSDUSFFQIQ w 1)1։ൃऀϝʔϦϯάϦετ "SDIJWF w IUUQTNBSDJOGP MQIQJOUFSOBMT ࢀߟจݙ