php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61043 Regression in magic_quotes_gpc fix (CVE-2012-0831)
Submitted: 2012-02-10 12:43 UTC Modified: 2012-03-21 21:18 UTC
Votes:4
Avg. Score:4.2 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: ondrej@php.net Assigned: johannes (profile)
Status: Closed Package: Variables related
PHP Version: 5.3SVN-2012-02-10 (SVN) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ondrej@php.net
New email:
PHP Version: OS:

 

 [2012-02-10 12:43 UTC] ondrej@php.net
Description:
------------
Description available here:

https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115


Basically the attached patch does replace the second location of 
PG(magic_quotes_gpc) with the zend_alter_ini_entry_ex:


-       PG(magic_quotes_gpc) = magic_quotes_gpc;
+
+       if (magic_quotes_gpc) {
+               zend_alter_ini_entry_ex("magic_quotes_gpc", 
sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 
TSRMLS_CC);
+       }

I could be wrong, since my knowledge of PHP internals is lim(knowledge) = 0, but 
this seems to follow the logic of first change.


Patches

magic_quotes_gpc-regression (last revision 2012-02-10 12:44 UTC by ondrej@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-10 12:44 UTC] ondrej@php.net
The following patch has been added/updated:

Patch Name: magic_quotes_gpc-regression
Revision:   1328877857
URL:        https://bugs.php.net/patch-display.php?bug=61043&patch=magic_quotes_gpc-regression&revision=1328877857
 [2012-02-10 13:19 UTC] ondrej@php.net
I can confirm that the attached patch fixes the reported problem:

root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php  -c /tmp/php.ini -
r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "1"
root@howl:/tmp# grep ^magic_quotes_gpc /tmp/php.ini 
magic_quotes_gpc = On
root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php  -c /tmp/php.ini -
r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "1"
root@howl:/tmp# emacs php.ini 
root@howl:/tmp# grep ^magic_quotes_gpc /tmp/php.ini 
magic_quotes_gpc = Off
root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php  -c /tmp/php.ini -
r 'var_dump(ini_get("magic_quotes_gpc"));'
string(0) ""
 [2012-02-13 18:37 UTC] sbeattie@php.net
Ondřej's patch is the patch we went with in Ubuntu. I verified in our testing that it did address the issue.
 [2012-03-05 22:46 UTC] pajoye@php.net
Johannes, can you check this please?
 [2012-03-05 22:46 UTC] pajoye@php.net
-Status: Open +Status: Critical -Assigned To: +Assigned To: johannes
 [2012-03-08 13:17 UTC] johannes@php.net
-Status: Critical +Status: Feedback
 [2012-03-08 13:17 UTC] johannes@php.net
I think this was fixed in r323016. Please verify.
 [2012-03-09 08:23 UTC] ondrej@php.net
Nope, r323016 is the commit which broke it.

Please look at the patch and look at the broken code before jumping to 
conclusions.
 [2012-03-09 13:09 UTC] ondrej@php.net
-Status: Feedback +Status: Critical
 [2012-03-21 21:13 UTC] cataphract@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2d2995f343629b80649fb09ce37e7e0750d2af4a
Log: Fixed bug #61043: Regression in magic_quotes_gpc fix (CVE-2012-0831)
 [2012-03-21 21:13 UTC] ondrej@sury.org@php.net
Automatic comment on behalf of ondrej@sury.org
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d1fd5432e1576865dbeb7650b7c7e0fa0bd3a4e1
Log: Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831)
 [2012-03-21 21:18 UTC] cataphract@php.net
-Status: Critical +Status: Closed
 [2012-03-21 21:18 UTC] cataphract@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I took the liberty of committing it.
 [2012-03-21 21:32 UTC] cataphract@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2d2995f343629b80649fb09ce37e7e0750d2af4a
Log: Fixed bug #61043: Regression in magic_quotes_gpc fix (CVE-2012-0831)
 [2012-03-21 21:32 UTC] ondrej@sury.org@php.net
Automatic comment on behalf of ondrej@sury.org
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d1fd5432e1576865dbeb7650b7c7e0fa0bd3a4e1
Log: Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831)
 [2014-10-07 23:28 UTC] stas@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2d2995f343629b80649fb09ce37e7e0750d2af4a
Log: Fixed bug #61043: Regression in magic_quotes_gpc fix (CVE-2012-0831)
 [2014-10-07 23:28 UTC] stas@php.net
Automatic comment on behalf of ondrej@sury.org
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d1fd5432e1576865dbeb7650b7c7e0fa0bd3a4e1
Log: Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831)
 [2014-10-07 23:39 UTC] stas@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2d2995f343629b80649fb09ce37e7e0750d2af4a
Log: Fixed bug #61043: Regression in magic_quotes_gpc fix (CVE-2012-0831)
 [2014-10-07 23:39 UTC] stas@php.net
Automatic comment on behalf of ondrej@sury.org
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d1fd5432e1576865dbeb7650b7c7e0fa0bd3a4e1
Log: Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 16:01:30 2024 UTC