php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #36170 parse_ini_file control over constants' substitution
Submitted: 2006-01-26 18:01 UTC Modified: 2021-07-26 18:45 UTC
From: spam01 at pornel dot net Assigned: cmb (profile)
Status: Wont fix Package: Filesystem function related
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: spam01 at pornel dot net
New email:
PHP Version: OS:

 

 [2006-01-26 18:01 UTC] spam01 at pornel dot net
Description:
------------
I don't agree with bug Bug #34949 being bogus. 

It was rejected stating it's programmers' responsibility to check if data can be trusted. However this function doesn't offer such possibility - there is no way to check what data has been substituted. Thus this function is not safe for reading untrusted files. 

It's not unusual to read and display data structure from untrusted source. You can do that with text files, XML, why not with ini?

Instead of originally sugested flag for disabling substitution I suggest adding optional callback function which could be used as security check/filter or provider of custom source of ini constants.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-09 00:06 UTC] ajf@php.net
-Package: Feature/Change Request +Package: Filesystem function related
 [2021-07-26 18:45 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2021-07-26 18:45 UTC] cmb@php.net
parse_ini_file() supports the INI_SCANNER_RAW mode for a very long
time, and I deem that sufficient for the hopefully rare case where
you need to parse user supplied INI files.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC