Voting starts in March for the Drupal Association Board election.
N.B.: need to check whether it is possible to upgrade existing sites to 6.x/7.x when register_globals is enabled.
PHP's deprecated Register Globals feature is a general security risk, as discussed on that page. Under certain server configurations it can give rise to a specific cross site scripting vulnerability with Drupal core. The vulnerability is described in security announcement SA-2008-007.
Therefore, since versions 5.6 and 6.x, Drupal won't install on a server which has register_globals enabled; nor will you be able to upgrade an existing site to 6.x (need to check this). Instead, you will be presented with a message such as:
The following error must be resolved before you can continue the installation process:
register_globals is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when register_globals is enabled. The PHP manual has instructions for how to change configuration settings. (Currently using PHP register globals Enabled ('1'))
Note that the actual value of the register_globals setting under which Drupal is running is reported at the end of the message: 1 in this example.
Existing 5.x and 4.7.x sites will continue to run but will display a warning message in the admin area when upgraded to 5.6 and higher or 4.7.11 and higher.
How to disable register_globals
If you use shared hosting it may be best to try persuading your host to turn this feature off. Failing that, or if using your own server or VPS or localhost installation, you can try these approaches. Note that the configuration of the server may prevent them from having the desired effect, in which case you will need to speak to your host.
If PHP is running as CGI (how can I tell?)
You can try using a custom php.ini file located in Drupal's root folder (i.e. the folder containing Drupal's index.php). This will only work if your host has enabled the use of custom php.ini files.
So, create a file named php.ini in Drupal's root folder with the following line:
register_globals = off
If php.ini already exists then add the above line to it.
If this works, and if you created a new php.ini file, you may want to follow the instructions on the page Creating a custom php.ini using the server default php.ini and configuration settings in order to avoid inadvertently changing some of the server's PHP configuration options.
If PHP is running as an Apache module (how can I tell?)
Make sure that Drupal's main .htaccess file (the one in Drupal's root folder) includes the line:
php_value register_globals 0
This directive has been there since Drupal 4.2 (June 2003). You may want to add it again at the top of the file in case any customizations made to .htaccess are preventing the existing directive from working properly.
In 7.x you should find the following line in .htaccess
php_flag register_globals 0
This 2nd form is preferred but in practical terms shouldn't make any difference from the first form.
Note that the configuration of some servers restricts what you can do in .htaccess; however, while this directive may not work on the cheapest hosting packages it should work fine on all reasonable quality packages, provided that PHP is running as an Apache module.
If you are using your own server or localhost installation
The best approach would be to change the configuration of register_globals in the main php.ini configuration file. You can find out the location of this file by running phpinfo() (see below).
If the above don't help
If your server is running PHP 4 by default then another option is to try to force Drupal to use PHP 5. This sometimes fixes the problem because register_globals is disabled by default in PHP 5, whereas it was enabled by default in PHP 4.
In Drupal's main .htaccess file, try adding the following line:
AddType x-mapp-php5 .php
If that doesn't help then speak to your host since if they do have PHP 5 available as well as PHP 4 then there will be some way of enabling it, but the details will vary from one host to another.
Finally, note that you can't use ini_get() (e.g. in settings.php) to change the register_globals setting since it can't be modified at runtime.
How can I tell if PHP is running as CGI or as an Apache module?
Create a file named phpinfo.php in Drupal's root folder (the file must be located here to guarantee accurate results), containing the following:
Then visit http://example.com/phpinfo.php (where http://example.com is the full URL of your Drupal installation). Near the top, look for Server API. If PHP is running as CGI then this should report something like "CGI" or "CGI/FastCGI "; if running as an Apache module it should report something like "Apache", "Apache handler" or "Apache 2.0 handler".
When finished you may want to remove the phpinfo.php file to prevent the possibility of revealing information about your server configuration.