Re: About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)

From: Date: Thu, 16 Feb 2012 07:24:01 +0000
Subject: Re: About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
On Tue, Feb 14, 2012 at 8:35 AM, Ferenc Kovacs <[email protected]> wrote:
> as far as I can see the referenced fix (
> http://svn.php.net/viewvc?view=revision&revision=323016)
> never made to the
> 5.3.10 release (
> http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3_10/?pathrev=323032&view=log
> )

Preface: I am not expert in these matters by any means.

I happened to do some work with a build of the PHP_5_3 branch that did
include SVN revision 323016.  With that revision, I observed some
weird behavior with magic_quotes_gpc coming *on* even if it was
configured off.

The specific circumstance was that magic_quotes_gpc was being set to
off in Apache via php_flag, rather than in the .ini file.  phpinfo()
reported magic_quotes_gpc as Off/On, but magic quotes behavior started
happening anyway.  Of course I just moved the configuration to the
.ini file where it belongs, but this was a change from previous
behavior prior to that rebuild.  Maybe it was a coincidence, but when
I saw this discussion, I felt mentioning it was "better safe than
sorry."

Thread (13 messages)

« previous php.internals (#57885) next »