#36170 [NEW]: parse_ini_file control over constants' substitution

Thu, 26 Jan 2006 09:01:44 -0800 

From:             spam01 at pornel dot net
Operating system: *
PHP version:      5.1.2
PHP Bug Type:     Feature/Change Request
Bug description:  parse_ini_file control over constants' substitution

Description:
------------
I don't agree with bug Bug #34949 being bogus. 

It was rejected stating it's programmers' responsibility to check if data
can be trusted. However this function doesn't offer such possibility -
there is no way to check what data has been substituted. Thus this
function is not safe for reading untrusted files. 

It's not unusual to read and display data structure from untrusted source.
You can do that with text files, XML, why not with ini?

Instead of originally sugested flag for disabling substitution I suggest
adding optional callback function which could be used as security
check/filter or provider of custom source of ini constants.



-- 
Edit bug report at http://bugs.php.net/?id=36170&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=36170&r=trysnapshot44
Try a CVS snapshot (PHP 5.1): 
http://bugs.php.net/fix.php?id=36170&r=trysnapshot51
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=36170&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=36170&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=36170&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=36170&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=36170&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=36170&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=36170&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=36170&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=36170&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=36170&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=36170&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=36170&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=36170&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=36170&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=36170&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=36170&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=36170&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=36170&r=mysqlcfg

Reply via email to