php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #36170 parse_ini_file control over constants' substitution
Submitted: 2006-01-26 18:01 UTC Modified: 2021-07-26 18:45 UTC
From: spam01 at pornel dot net Assigned: cmb (profile)
Status: Wont fix Package: Filesystem function related
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-01-26 18:01 UTC] spam01 at pornel dot net
Description:
------------
I don't agree with bug Bug #34949 being bogus. 

It was rejected stating it's programmers' responsibility to check if data can be trusted. However this function doesn't offer such possibility - there is no way to check what data has been substituted. Thus this function is not safe for reading untrusted files. 

It's not unusual to read and display data structure from untrusted source. You can do that with text files, XML, why not with ini?

Instead of originally sugested flag for disabling substitution I suggest adding optional callback function which could be used as security check/filter or provider of custom source of ini constants.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-09 00:06 UTC] ajf@php.net
-Package: Feature/Change Request +Package: Filesystem function related
 [2021-07-26 18:45 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2021-07-26 18:45 UTC] cmb@php.net
parse_ini_file() supports the INI_SCANNER_RAW mode for a very long
time, and I deem that sufficient for the hopefully rare case where
you need to parse user supplied INI files.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC