Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:50391 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 45526 invoked from network); 19 Nov 2010 16:03:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Nov 2010 16:03:49 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com Received: from [209.85.160.170] ([209.85.160.170:47153] helo=mail-gy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D2/20-44146-ADF96EC4 for ; Fri, 19 Nov 2010 11:03:41 -0500 Received: by gyg10 with SMTP id 10so3074831gyg.29 for ; Fri, 19 Nov 2010 08:03:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=bO/+xrfmFd3mu5OE0zQKXmqeWyQut4LKx01XBHuTTno=; b=su0+hdFulXyvbd60LX1JtNi7MojJdrSWjliZ99kbhJn2iJxVoxSbz2iZzRFQJMwjre LiqrUrHDgi0WWhp9sS8j/pz+I8VsRBZme+KiPcUaCCLWANGHYg0hE+iT9ooTb6qHsHeo 90/byzTvN6tjTMtwSI7Tm1HydF+WkaLe/ETvQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=nsqtSCcxGNGCCeQqdHYC5ULGKx1Nc6/fZwX1tUHnQDCdFFoY3kTNRZrZoFE8GyUDMj sxCT+7qD+lG0QDCAP2/O/2huHXiPiZFpkLnJHFucSsN0VOGsmyUs8pv7BrOl7cVX2MHL qOeMrWQ9hW3PDwlNUyWqhBOC8tfcsTvAYE8yI= MIME-Version: 1.0 Received: by 10.90.25.13 with SMTP id 13mr2877760agy.33.1290181309354; Fri, 19 Nov 2010 07:41:49 -0800 (PST) Sender: tyra3l@gmail.com Received: by 10.90.53.4 with HTTP; Fri, 19 Nov 2010 07:41:48 -0800 (PST) In-Reply-To: <20101119151702.GA5937@panix.com> References: <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org> <201011172340.37217.larry@garfieldtech.com> <20101118162047.GA26431@panix.com> <1290097549.16819.180.camel@guybrush> <20101119151702.GA5937@panix.com> Date: Fri, 19 Nov 2010 16:41:48 +0100 X-Google-Sender-Auth: UghBNcZ8kL2OCsi6va7eiDKzPn8 Message-ID: To: Daniel Convissor Cc: PHP Internals List Content-Type: multipart/alternative; boundary=00163630f5fba3d40a049569be53 Subject: Re: [PHP-DEV] Magic quotes in trunk From: info@tyrael.hu (Ferenc Kovacs) --00163630f5fba3d40a049569be53 Content-Type: text/plain; charset=UTF-8 On Fri, Nov 19, 2010 at 4:17 PM, Daniel Convissor < danielc@analysisandsolutions.com> wrote: > Hi Johannes: > > On Thu, Nov 18, 2010 at 05:25:49PM +0100, Johannes Schlter wrote: > > > > > 2) Error out if using CGI or web SAPI and one of the following is true: > > > a) php.ini does not contain "magic_quotes_gpc = Off" > > > b) php.ini contains "magic_quotes_runtime = On" > > > c) php.ini contains "magic_quotes_sybase = On" > > > d) php.ini does not exist > > > > d) is no option. > > Yeah, I hear you and figured there would be objection. > > At the same time, for server administrators, isn't knowingly creating one > file with "magic_quotes_gpc = Off" in it a very low hurdle compared to > unknowingly getting pwn3d and then having to clean up that mess later? > > If this isn't acceptable, let's come up with some other fail-safe options. > > you can get pwn3d with magic_quotes_gpc = On also (through insecure usage of register globals, or remote code inclusion/execution, xss/reflection and sql injection also possible with enabled magic_quotes_gpc). for example: http://www.exploit-db.com/papers/15446/ Tyrael --00163630f5fba3d40a049569be53--