php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41093 magic_quotes_gpc ignores first arrays keys
Submitted: 2007-04-15 09:58 UTC Modified: 2007-04-17 15:06 UTC
From: arpad@php.net Assigned: iliaa
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.1 OS: Irrelevant
Private report: No CVE-ID:
 [2007-04-15 09:58 UTC] arpad@php.net
Description:
------------
When magic_quotes_gpc is on, it ignores the keys of array values in $_GET etc, despite escaping keys of scalar values and all keys in contained arrays. For example, the query string ?a'b=1 yields $_GET[a\'b] = 1, but ?a'b[a'b]=1 yields $_GET[a'b][a\'b] = 1.

http://www.rajeczy.com/compat_gpc_tests.txt

Reproduce code:
---------------
?a'b[a'b]=1

Expected result:
----------------
$_GET[a\'b][a\'b] = 1

Actual result:
--------------
$_GET[a'b][a\'b] = 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-15 10:04 UTC] arpad@php.net
NB: I specified 5.2.1 to keep the bug tracker happy, but as you can see from the linked tests, this bug is present in every version I tested (>= 4.2.0).
 [2007-04-15 10:28 UTC] arpad@php.net
This seems to fix it (as in the equivalent line for scalar values on 198):

Index: php_variables.c
===================================================================
RCS file: /repository/php-src/main/php_variables.c,v
retrieving revision 1.104.2.10.2.7
diff -u -r1.104.2.10.2.7 php_variables.c
--- php_variables.c	28 Mar 2007 09:14:08 -0000	1.104.2.10.2.7
+++ php_variables.c	15 Apr 2007 10:26:31 -0000
@@ -158,8 +158,7 @@
 				array_init(gpc_element);
 				zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
 			} else {
-				if (PG(magic_quotes_gpc) && (index != var)) {
-					/* no need to addslashes() the index if it's the main variable name */
+				if (PG(magic_quotes_gpc)) {
 					escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
 				} else {
 					escaped_index = index;
 [2007-04-17 15:06 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 10:03:03 2014 UTC