|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #36170 parse_ini_file control over constants' substitution
Submitted: 2006-01-26 18:01 UTC Modified: 2015-01-09 00:06 UTC
From: spam01 at pornel dot net Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-01-26 18:01 UTC] spam01 at pornel dot net
I don't agree with bug Bug #34949 being bogus. 

It was rejected stating it's programmers' responsibility to check if data can be trusted. However this function doesn't offer such possibility - there is no way to check what data has been substituted. Thus this function is not safe for reading untrusted files. 

It's not unusual to read and display data structure from untrusted source. You can do that with text files, XML, why not with ini?

Instead of originally sugested flag for disabling substitution I suggest adding optional callback function which could be used as security check/filter or provider of custom source of ini constants.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-09 00:06 UTC]
-Package: Feature/Change Request +Package: Filesystem function related
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Jun 14 08:01:24 2021 UTC