php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #40586 _ENV vars get espcaped when magic_quotes_gpc is on
Submitted: 2007-02-21 20:30 UTC Modified: 2007-08-17 11:03 UTC
From: gk at gknw dot de Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.4.x OS: at least NetWare, Win32
Private report: No CVE-ID: None
 [2007-02-21 20:30 UTC] gk at gknw dot de
Description:
------------
With PHP 4.3.x and 4.4.x the _ENV superglobals get escaped if they contain backslahes and magic_quotes_gpc is on.
This does happen with the Apache SAPI as well as with the CLI on commandline. When I getenv() same environment vars this doesnt happen.
Also compared to PHP 5.2.x where this doesnt happen - regardless of the magic_quotes_gpc setting.
I digged through the docu but couldnt find anything about this 'feature' mentioned with 4.x, nor the difference that it was dropped with 5.x.


Expected result:
----------------
I think this 'feature' should be mentioned in the docu, and the difference between 4.x and 5.x behaviour, also because with 4.x magic_quotes_gpc is on by default.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-03-23 15:56 UTC] vrana@php.net
This behavior is wrong. _gpc stands for GET, POST, COOKIE.
 [2007-03-26 10:33 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-03-26 11:06 UTC] derick@php.net
I think we should document this instead, as changing it might cause security problems for people.
 [2007-03-30 16:00 UTC] gk at gknw dot de
I doubt that the fix might turn into a security problem because its related to the system's _ENV vars, and not to something coming from outside - if we cant even trust the system's env vars then there's something wrong with the whole system's setup.
Also everyone who now expect this behavior in his code build upon an undocumented feature.

greets, G?nter.
 [2007-08-17 11:03 UTC] vrana@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"In PHP 4, also Environment variables: $_ENV  variables are escaped."
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 04:01:25 2019 UTC