php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #36170 parse_ini_file control over constants' substitution
Submitted: 2006-01-26 18:01 UTC Modified: 2015-01-09 00:06 UTC
From: spam01 at pornel dot net Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-01-26 18:01 UTC] spam01 at pornel dot net
Description:
------------
I don't agree with bug Bug #34949 being bogus. 

It was rejected stating it's programmers' responsibility to check if data can be trusted. However this function doesn't offer such possibility - there is no way to check what data has been substituted. Thus this function is not safe for reading untrusted files. 

It's not unusual to read and display data structure from untrusted source. You can do that with text files, XML, why not with ini?

Instead of originally sugested flag for disabling substitution I suggest adding optional callback function which could be used as security check/filter or provider of custom source of ini constants.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-09 00:06 UTC] ajf@php.net
-Package: Feature/Change Request +Package: Filesystem function related
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC