[
https://issues.apache.org/jira/browse/SHINDIG-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Chabot resolved SHINDIG-694.
----------------------------------
Resolution: Fixed
Assignee: Chris Chabot
thanks for the fix, fix has been committed.
ps, i would advice *not* using magic quotes, their going away in php 6 and
depending on them is asking for trouble / exploits / double escaping and all
that good stuff :)
> bug in jsonRpcServlet.php: incorrect get_magic_quotes_gpc+stripslashes
> implementation
> -------------------------------------------------------------------------------------
>
> Key: SHINDIG-694
> URL: https://issues.apache.org/jira/browse/SHINDIG-694
> Project: Shindig
> Issue Type: Bug
> Components: RESTful API (PHP)
> Reporter: Denis
> Assignee: Chris Chabot
>
> php/src/social/servlet/JsonRpcServlet.php:
> 52 $requestParam =
> isset($GLOBALS['HTTP_RAW_POST_DATA']) ? $GLOBALS['HTTP_RAW_POST_DATA'] :
> $_POST['request'];
> 53 if (get_magic_quotes_gpc()) {
> 54 $requestParam =
> stripslashes($requestParam);
> 55 }
> In case, when is set $GLOBALS['HTTP_RAW_POST_DATA'], you don't need to call
> stripslashes, because magicquotes isn't implemented to
> $GLOBALS['HTTP_RAW_POST_DATA']. stripslashes can corrupt JSON-string. I.e.
> '{data:"some \"string\"."}' becomes '{data:"some "string""}' and json_decode
> fails on it.
> Solution:
> $requestParam = isset($GLOBALS['HTTP_RAW_POST_DATA']) ?
> $GLOBALS['HTTP_RAW_POST_DATA'] : (get_magic_quotes_gpc() ?
> stripslashes($_POST['request']) : $_POST['request']);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
