ID: 40586 User updated by: gk at gknw dot de Reported By: gk at gknw dot de Status: Open Bug Type: Documentation problem Operating System: at least NetWare, Win32 PHP Version: 4.4.x New Comment:
I doubt that the fix might turn into a security problem because its related to the system's _ENV vars, and not to something coming from outside - if we cant even trust the system's env vars then there's something wrong with the whole system's setup. Also everyone who now expect this behavior in his code build upon an undocumented feature. greets, Günter. Previous Comments: ------------------------------------------------------------------------ [2007-03-26 11:06:20] [EMAIL PROTECTED] I think we should document this instead, as changing it might cause security problems for people. ------------------------------------------------------------------------ [2007-03-26 10:33:05] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2007-03-23 15:56:18] [EMAIL PROTECTED] This behavior is wrong. _gpc stands for GET, POST, COOKIE. ------------------------------------------------------------------------ [2007-02-21 20:30:40] gk at gknw dot de Description: ------------ With PHP 4.3.x and 4.4.x the _ENV superglobals get escaped if they contain backslahes and magic_quotes_gpc is on. This does happen with the Apache SAPI as well as with the CLI on commandline. When I getenv() same environment vars this doesnt happen. Also compared to PHP 5.2.x where this doesnt happen - regardless of the magic_quotes_gpc setting. I digged through the docu but couldnt find anything about this 'feature' mentioned with 4.x, nor the difference that it was dropped with 5.x. Expected result: ---------------- I think this 'feature' should be mentioned in the docu, and the difference between 4.x and 5.x behaviour, also because with 4.x magic_quotes_gpc is on by default. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40586&edit=1
