ID: 46759 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Closed Bug Type: Variables related Operating System: Windows PHP Version: 5.2.7 New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. I've backed out the fix for bug #42718 Previous Comments: ------------------------------------------------------------------------ [2008-12-06 17:08:43] [EMAIL PROTECTED] After checking bug #42718 and filter extension's documentation, I believe enabling a filter *should not* disable magic_quotes_gpc (nothing is written in the documentation about this). This patch allows application of magic_quotes_gpc *after* filters execution *if* enabled. http://ookoo.org/svn/snip/php_5_2-broken_filter_and_magic_quotes.patch ------------------------------------------------------------------------ [2008-12-06 16:20:04] [EMAIL PROTECTED] Fix for bug #42718 seems at the origin of this bug. If the fix is reverted, magic_quotes_gpc works again as expected. ------------------------------------------------------------------------ [2008-12-06 10:03:18] cabel at panic dot com We haven't yet had a chance to addslashes() our input in preparation for PHP 6. So as it stands, this bug -- which we're also seeing with 5.2.7 -- currently means giant scary security holes in our scripts as we were relying on magic_quotes_gpc to make things "safe". Not great... ------------------------------------------------------------------------ [2008-12-06 01:28:00] brion at pobox dot com This causes downstream MediaWiki bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=16570 Data corruption and failure to properly submit edits when magic_quotes_gpc is enabled. (Workaround: disable magic_quotes_gpc so input doesn't get munged by stripslashes().) Presumably causes similar breakage in every other web app that attempts to correct for magic_quotes_gpc. ------------------------------------------------------------------------ [2008-12-05 11:52:05] [EMAIL PROTECTED] Description: ------------ magic_quotes_gpc doesn't escape $_GET, $_POST, $_COOKIE and $_REQUEST variables. It worked with the same configuration under 5.2.6. I have magic_quotes_gpc set in php.ini. Reproduce code: --------------- URL: ?q=' <?php var_dump(PHP_VERSION); var_dump(get_magic_quotes_gpc()); var_dump($_GET["q"]); Expected result: ---------------- string(5) "5.2.7" int(1) string(2) "\'" Actual result: -------------- string(5) "5.2.7" int(1) string(2) "'" ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46759&edit=1
