I've posted in php-internals list about this topic: http://marc.info/?l
=php-internalsm=132922462700684w=2
Please tell me answers to some questions.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
The PHP-version in Hardy Heron (8.04) also has the same behaviour.
(version 5.2.4-2ubuntu5.22) This broke some of the websites hosted on my
severs that relied on magic_quotes_gpc detection with
ini_get('magic_quotes_gpc') . This always returns 0 now, even when
magic_quotes_gpc switchec On in
Well, it affects all versions which got that security report (i.e. all
supported).
As far as I understand this bug, the magic_quotes are actually set to
the correct value, it's just the ini_get() which reports wrong value.
--
You received this bug notification because you are a member of Ubuntu
This bug was fixed in the package php5 - 5.3.2-1ubuntu4.14
---
php5 (5.3.2-1ubuntu4.14) lucid-security; urgency=low
* debian/patches/php5-CVE-2012-0831-regression.patch: fix
magic_quotes_gpc ini setting regression introduced by patch for
CVE-2012-0831. Thanks to Ondřej Surý
This bug was fixed in the package php5 - 5.2.4-2ubuntu5.23
---
php5 (5.2.4-2ubuntu5.23) hardy-security; urgency=low
* debian/patches/php5-CVE-2012-0831-regression.patch: fix
magic_quotes_gpc ini setting regression introduced by patch for
CVE-2012-0831. Thanks to Ondřej Surý
Yes, as Ondřej said, all supported releases were affected and the issue
was that ini_get('magic_quotes_gpc') was returning the wrong value,
magic_quotes_gpc would still get set correctly. Also,
get_magic_quotes_gpc() returned the correct value, too.
Fixes for all releases have gone out as
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: php5 (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/930115
Forwarded to https://bugs.php.net/bug.php?id=61043 with patch.
(Fortunatelly it's the Ubuntu today which needs to bite the bullet,
since I haven't uploaded Debian security update yet. ;)
I am building Debian package with updated patch and will report back.
Thanks for the test script.
** Bug
Thanks for your report. I confirm the change of behavior. This was
probably introduced in this change:
php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low
[...]
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
- debian/patches/php5-CVE-2012-0831.patch: always restore
The patch attached to PHP bug report fixes your problem:
root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php -c /tmp/php.ini
-r 'var_dump(ini_get(magic_quotes_gpc));'
string(1) 1
root@howl:/tmp# grep ^magic_quotes_gpc /tmp/php.ini
magic_quotes_gpc = On
root@howl:/tmp#
Ondřej, thanks for diagnosing this issue! I'll review and incorporate
your patch and release a regression fix for this shortly after testing
locally.
Thanks and my apologies for introducing this regression.
** Changed in: php5 (Ubuntu Lucid)
Status: Triaged = In Progress
** Changed in:
11 matches
Mail list logo
