#953: Change magic_quotes_gpc handling to require 5.2.7 and use the fixes
introduced there
---------------------+------------------------------------------------------
Reporter: david | Owner: david
Type: task | Status: new
Priority: high | Milestone: 0.11.6
Component: request | Version: 0.11.5
Severity: normal | Keywords:
Has_patch: 0 |
---------------------+------------------------------------------------------
There is a problem with {{{$_FILES}}} in PHP <5.2.7 where the
{{{tmp_name}}} index does not have its parent or children magic_quoted
(http://bugs.php.net/bug.php?id=46313)
This in itself is no problem, but a problem occurs in combination with
backslashes in the field names:
* {{{<input type="file" name="f'oo" />}}}[[BR]]results
in[[BR]]{{{array("f'oo" => array("tmp_name" => "..."))}}}
* {{{<input type="file" name="f'o\o" />}}}[[BR]]results
in[[BR]]{{{array("f'o\o" => array("tmp_name" => "..."))}}}
* {{{<input type="file" name="f\'oo" />}}}[[BR]]results
in[[BR]]{{{array("f'oo" => array("tmp_name" => "..."))}}}
Spot the difference? The backslash in front of the quote is eaten, but
''only'' for the {{{tmp_name}}} index; other entries are fine:
* {{{<input type="file" name="f'oo" />}}}[[BR]]results
in[[BR]]{{{array("f\'oo" => array("name" => "...", 'size' => '...',
...))}}}
* {{{<input type="file" name="f'o\o" />}}}[[BR]]results
in[[BR]]{{{array("f'o\\o" => array("name" => "...", 'size' => '...',
...))}}}
* {{{<input type="file" name="f\'oo" />}}}[[BR]]results
in[[BR]]{{{array("f\\\'oo" => array("name" => "...", 'size' => '...',
...))}}}
(those, of course, have magic quotes applied, as it's only broken for
{{{tmp_name}}})
The problem is that it makes reliable cleanup impossible as the names can
potentially ambiguous.
Now consider a situation where a user has a lot of {{{<input type="file"
name="images[]" />}}} in his document, simply looping over them in his
action, with validators ensuring that files are images not bigger than
100kB. If we attempted cleanups that guessed names with
{{{magic_quotes_gpc}}} and blackslashes, an attacker could potentially use
that behavior to inject a file by relying on our "guessing" behavior that
could lead to {{{tmp_name}}} entries linked to the wrong files.
Also, magic quotes are a f*ing b*tch to deal with, and we just cannot be
bothered anymore.
Hence, we'll now throw an exception if magic quotes are on and PHP < 5.2.7
is installed. This also makes tickets #944 and #945 redundant. We can
simply throw out any special version checks and workarounds and rely on
PHP, finally, after ten-or-so-years, applying {{{magic_quotes_gpc}}} to
input data properly.
And no, this is not the bug that resulted in PHP 5.2.7 being pulled from
distribution. Those are not related.
--
Ticket URL: <http://trac.agavi.org/ticket/953>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
