#953: Change magic_quotes_gpc handling to require PHP 5.2.8 and use the fixes
introduced there
---------------------+------------------------------------------------------
Reporter: david | Owner: david
Type: task | Status: assigned
Priority: high | Milestone: 0.11.6
Component: request | Version: 0.11.5
Severity: normal | Keywords:
Has_patch: 0 |
---------------------+------------------------------------------------------
Description changed by david:
Old description:
> There is a problem with {{{$_FILES}}} in PHP <5.2.7 where the
> {{{tmp_name}}} index does not have its parent or children magic_quoted
> (http://bugs.php.net/bug.php?id=46313)
>
> This in itself is no problem, but a problem occurs in combination with
> backslashes in the field names:
> * {{{<input type="file" name="f'oo" />}}}[[BR]]results
> in[[BR]]{{{array("f'oo" => array("tmp_name" => "..."))}}}
> * {{{<input type="file" name="f'o\o" />}}}[[BR]]results
> in[[BR]]{{{array("f'o\o" => array("tmp_name" => "..."))}}}
> * {{{<input type="file" name="f\'oo" />}}}[[BR]]results
> in[[BR]]{{{array("f'oo" => array("tmp_name" => "..."))}}}
> Spot the difference? The backslash in front of the quote is eaten, but
> ''only'' for the {{{tmp_name}}} index; other entries are fine:
> * {{{<input type="file" name="f'oo" />}}}[[BR]]results
> in[[BR]]{{{array("f\'oo" => array("name" => "...", 'size' => '...',
> ...))}}}
> * {{{<input type="file" name="f'o\o" />}}}[[BR]]results
> in[[BR]]{{{array("f'o\\o" => array("name" => "...", 'size' => '...',
> ...))}}}
> * {{{<input type="file" name="f\'oo" />}}}[[BR]]results
> in[[BR]]{{{array("f\\\'oo" => array("name" => "...", 'size' => '...',
> ...))}}}
> (those, of course, have magic quotes applied, as it's only broken for
> {{{tmp_name}}})
>
> The problem is that it makes reliable cleanup impossible as the names can
> potentially ambiguous.
>
> Now consider a situation where a user has a lot of {{{<input type="file"
> name="images[]" />}}} in his document, simply looping over them in his
> action, with validators ensuring that files are images not bigger than
> 100kB. If we attempted cleanups that guessed names with
> {{{magic_quotes_gpc}}} and blackslashes, an attacker could potentially
> use that behavior to inject a file by relying on our "guessing" behavior
> that could lead to {{{tmp_name}}} entries linked to the wrong files.
>
> Also, magic quotes are a f*ing b*tch to deal with, and we just cannot be
> bothered anymore.
>
> Hence, we'll now throw an exception if magic quotes are on and PHP <
> 5.2.7 is installed. This also makes tickets #944 and #945 redundant. We
> can simply throw out any special version checks and workarounds and rely
> on PHP, finally, after ten-or-so-years, applying {{{magic_quotes_gpc}}}
> to input data properly.
>
> And no, this is not the bug that resulted in PHP 5.2.7 being pulled from
> distribution. Those are not related.
New description:
There is a problem with {{{$_FILES}}} in PHP <5.2.7 where the
{{{tmp_name}}} index does not have its parent or children magic_quoted
(http://bugs.php.net/bug.php?id=46313)
This in itself is no problem, but a problem occurs in combination with
backslashes in the field names:
* {{{<input type="file" name="f'oo" />}}}[[BR]]results
in[[BR]]{{{array("f'oo" => array("tmp_name" => "..."))}}}
* {{{<input type="file" name="f'o\o" />}}}[[BR]]results
in[[BR]]{{{array("f'o\o" => array("tmp_name" => "..."))}}}
* {{{<input type="file" name="f\'oo" />}}}[[BR]]results
in[[BR]]{{{array("f'oo" => array("tmp_name" => "..."))}}}
Spot the difference? The backslash in front of the quote is eaten, but
''only'' for the {{{tmp_name}}} index; other entries are fine:
* {{{<input type="file" name="f'oo" />}}}[[BR]]results
in[[BR]]{{{array("f\'oo" => array("name" => "...", 'size' => '...',
...))}}}
* {{{<input type="file" name="f'o\o" />}}}[[BR]]results
in[[BR]]{{{array("f'o\\o" => array("name" => "...", 'size' => '...',
...))}}}
* {{{<input type="file" name="f\'oo" />}}}[[BR]]results
in[[BR]]{{{array("f\\\'oo" => array("name" => "...", 'size' => '...',
...))}}}
(those, of course, have magic quotes applied, as it's only broken for
{{{tmp_name}}})
The problem is that it makes reliable cleanup impossible as the names can
potentially ambiguous.
Now consider a situation where a user has a lot of {{{<input type="file"
name="images[]" />}}} in his document, simply looping over them in his
action, with validators ensuring that files are images not bigger than
100kB. If we attempted cleanups that guessed names with
{{{magic_quotes_gpc}}} and blackslashes, an attacker could potentially use
that behavior to inject a file by relying on our "guessing" behavior that
could lead to {{{tmp_name}}} entries linked to the wrong files.
Also, magic quotes are a f*ing b*tch to deal with, and we just cannot be
bothered anymore.
Hence, we'll now throw an exception if magic quotes are on and PHP < 5.2.8
is installed. This also makes tickets #944 and #945 redundant. We can
simply throw out any special version checks and workarounds and rely on
PHP, finally, after ten-or-so-years, applying {{{magic_quotes_gpc}}} to
input data properly.
And no, this is not the bug that resulted in PHP 5.2.7 being pulled from
distribution. Those are not related. We're still mandating 5.2.8, as 5.2.7
shouldn't be out there anyway.
--
--
Ticket URL: <http://trac.agavi.org/ticket/953#comment:3>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
