PDA

View Full Version : $_REQUEST takes GPC vars in an unwanted order


OCTAGRAM2
05-23-2011, 05:52 AM
While investigating yet another incompatibility I've discovered that Quercus takes GPC args into $_REQUEST in a different order compared to native PHP default behaviour.

I've written a small tester:

<?php

if ($_SERVER['REQUEST_METHOD'] == "GET") {

setcookie("var_00c","COOKIE", time()+86400*60);
setcookie("var_0pc","COOKIE", time()+86400*60);
setcookie("var_g0c","COOKIE", time()+86400*60);
setcookie("var_gpc","COOKIE", time()+86400*60);

?><form method="post" action="?var_g00=GET&amp;var_g0c=GET&amp;var_gp0=GET&amp;var_gpc=GET">
<input type="hidden" name="var_0p0" value="POST" />
<input type="hidden" name="var_0pc" value="POST" />
<input type="hidden" name="var_gp0" value="POST" />
<input type="hidden" name="var_gpc" value="POST" />
<input type="submit" name="Push me!" />
</form><?php

} else if ($_SERVER['REQUEST_METHOD'] == "POST") {

echo '$_REQUEST = ';
var_dump($_REQUEST);

?><table><tr><th>Component</th><th>Value</th></tr>
<tr><td>var_000</td><td><?php echo $_REQUEST['var_000']; ?></td></tr>
<tr><td>var_00c</td><td><?php echo $_REQUEST['var_00c']; ?></td></tr>
<tr><td>var_0p0</td><td><?php echo $_REQUEST['var_0p0']; ?></td></tr>
<tr><td>var_0pc</td><td><?php echo $_REQUEST['var_0pc']; ?></td></tr>
<tr><td>var_g00</td><td><?php echo $_REQUEST['var_g00']; ?></td></tr>
<tr><td>var_g0c</td><td><?php echo $_REQUEST['var_g0c']; ?></td></tr>
<tr><td>var_gp0</td><td><?php echo $_REQUEST['var_gp0']; ?></td></tr>
<tr><td>var_gpc</td><td><?php echo $_REQUEST['var_gpc']; ?></td></tr>
</table><?php

}

?>

On Apache+PHP it outputs:

var_000
var_00c
var_0p0 POST
var_0pc POST
var_g00 GET
var_g0c GET
var_gp0 POST
var_gpc POST

On Resin+Quercus it outputs:

Component Value
var_000
var_00c COOKIE
var_0p0 POST
var_0pc COOKIE
var_g00 GET
var_g0c COOKIE
var_gp0 POST
var_gpc COOKIE

Accounting cookies is said to be nonsecure, but given higher priority than both GET and POST, it just breaks an application I want to deploy on Resin (UserSide Magneto)

<request_order>GP</request_order> in resin-web.xml doesn't fix this problem.