Hi Kousuke, On Thu, Feb 16, 2012 at 06:14:51PM +0900, Kousuke Ebihara wrote: > (12/02/16 16:24), J David wrote: > > reported magic_quotes_gpc as Off/On, but magic quotes behavior started > > happening anyway. Of course I just moved the configuration to the > > I've also confirmed this behavior in snapshot version of PHP 5.3 (Build on > Feb 16, 2012 00:30 UTC). > > I tested my https://gist.github.com/1840714 script. > > And I've got the following result:: > > $ wget -q "http://localhost:8080/phpinfo.php"; -O - | grep "Loaded > Configuration File" > <tr><td class="e">Loaded Configuration File </td><td > class="v">/private/tmp/php.ini </td></tr> > > $ cat /private/tmp/php.ini > magic_quotes_gpc=On > > $ wget -q "http://localhost:8080/cve-2012-0831.php?a='" -O - > PHP Version: 5.3.11-dev > magic_quotes_gpc: 0 > $_GET['a']: \' > > I think magic_quotes_gpc is not disabled. All of the PHP C sources might use > "PG(magic_quotes_gpc)" to access to that setting value, so that result might > not be affected zend_alter_ini_entry_ex(). > > But a result of "ini_get()" uses a setting value after the > zend_alter_ini_entry_ex() calling, so it reports 0. > > The above is just my guessing because I'm not an expert of PHP C source code > but probably it is not bad guessing, I think.
You're seeing the behavior reported by Ondřej Surý in https://bugs.php.net/bug.php?id=61043, where magic_quotes_gpc is configured on, but ini_get('magic_quotes_gpc') returns that it's disabled, even though magic quoting is still happening. That's different from the behavior that J David reported, where he configured it *off*, but saw magic quoting still happening. It would be great to get comments on the patch provided by Ondřej in the bug report to know if it's the correct fix, and if so, get it committed to the 5.3 branch. Thanks. -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
