Hi Kousuke,
On Thu, Feb 16, 2012 at 06:14:51PM +0900, Kousuke Ebihara wrote:
(12/02/16 16:24), J David wrote:
reported magic_quotes_gpc as Off/On, but magic quotes behavior started
happening anyway. Of course I just moved the configuration to the
I've also confirmed this behavior in snapshot version of PHP 5.3 (Build on
Feb 16, 2012 00:30 UTC).
I tested my https://gist.github.com/1840714 script.
And I've got the following result::
$ wget -q http://localhost:8080/phpinfo.php; -O - | grep Loaded
Configuration File
trtd class=eLoaded Configuration File /tdtd
class=v/private/tmp/php.ini /td/tr
$ cat /private/tmp/php.ini
magic_quotes_gpc=On
$ wget -q http://localhost:8080/cve-2012-0831.php?a=' -O -
PHP Version: 5.3.11-dev
magic_quotes_gpc: 0
$_GET['a']: \'
I think magic_quotes_gpc is not disabled. All of the PHP C sources might use
PG(magic_quotes_gpc) to access to that setting value, so that result might
not be affected zend_alter_ini_entry_ex().
But a result of ini_get() uses a setting value after the
zend_alter_ini_entry_ex() calling, so it reports 0.
The above is just my guessing because I'm not an expert of PHP C source code
but probably it is not bad guessing, I think.
You're seeing the behavior reported by Ondřej Surý in
https://bugs.php.net/bug.php?id=61043, where magic_quotes_gpc is
configured on, but ini_get('magic_quotes_gpc') returns that it's
disabled, even though magic quoting is still happening.
That's different from the behavior that J David reported, where he
configured it *off*, but saw magic quoting still happening.
It would be great to get comments on the patch provided by Ondřej
in the bug report to know if it's the correct fix, and if so, get it
committed to the 5.3 branch.
Thanks.
--
Steve Beattie
sbeat...@ubuntu.com
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
