Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57885
Return-Path: <jdavidlists@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89748 invoked from network); 16 Feb 2012 07:24:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Feb 2012 07:24:06 -0000
Authentication-Results: pb1.pair.com smtp.mail=jdavidlists@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jdavidlists@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.49 as permitted sender)
X-PHP-List-Original-Sender: jdavidlists@gmail.com
X-Host-Fingerprint: 209.85.216.49 mail-qw0-f49.google.com  
Received: from [209.85.216.49] ([209.85.216.49:54442] helo=mail-qw0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AE/72-48160-41FAC3F4 for <internals@lists.php.net>; Thu, 16 Feb 2012 02:24:05 -0500
Received: by qadc14 with SMTP id c14so2306405qad.8
        for <internals@lists.php.net>; Wed, 15 Feb 2012 23:24:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
        bh=LkvUr2F7vJ4mkmSjHPjxhSQ+28WN/8qZCQrawwH46nE=;
        b=QZ7Y50hMVs6RFZoi32yUCWDvsphR9biwuv7yBrDU5DjcvY+9qwrv7R+5CrzbMBc7AO
         dh7yz9vJJtUYJQhMmEX50V3F6j0jLiGPsLBeh3XyjtCMLM2gJn2A7hgj6h1cZw1mW1pc
         ahGTM0+Zl1A8upnIzdw+t7Pys0+14E0gs+JHA=
MIME-Version: 1.0
Received: by 10.229.102.88 with SMTP id f24mr1029185qco.117.1329377041366;
 Wed, 15 Feb 2012 23:24:01 -0800 (PST)
Sender: jdavidlists@gmail.com
Received: by 10.229.56.12 with HTTP; Wed, 15 Feb 2012 23:24:01 -0800 (PST)
In-Reply-To: <CAH-PCH5Ri0Bgmdn5AxYTFqe5VpWuLb2M0Hfn2OwCKkdEyptQ3A@mail.gmail.com>
References: <4F3A5B70.3020707@co3k.org>
	<CAH-PCH5Ri0Bgmdn5AxYTFqe5VpWuLb2M0Hfn2OwCKkdEyptQ3A@mail.gmail.com>
Date: Thu, 16 Feb 2012 02:24:01 -0500
X-Google-Sender-Auth: 1OUK9cfvVSHJiUL9xQbqez4fQkc
Message-ID: <CABXB=RSKVP2=w2zdFx7SLkbbBszpc3635_ehjO07=DZTHQ-xQA@mail.gmail.com>
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)
From: j.david.lists@gmail.com (J David)

On Tue, Feb 14, 2012 at 8:35 AM, Ferenc Kovacs <tyra3l@gmail.com> wrote:
> as far as I can see the referenced fix (
> http://svn.php.net/viewvc?view=revision&revision=323016) never made to the
> 5.3.10 release (
> http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3_10/?pathrev=323032&view=log
> )

Preface: I am not expert in these matters by any means.

I happened to do some work with a build of the PHP_5_3 branch that did
include SVN revision 323016.  With that revision, I observed some
weird behavior with magic_quotes_gpc coming *on* even if it was
configured off.

The specific circumstance was that magic_quotes_gpc was being set to
off in Apache via php_flag, rather than in the .ini file.  phpinfo()
reported magic_quotes_gpc as Off/On, but magic quotes behavior started
happening anyway.  Of course I just moved the configuration to the
.ini file where it belongs, but this was a change from previous
behavior prior to that rebuild.  Maybe it was a coincidence, but when
I saw this discussion, I felt mentioning it was "better safe than
sorry."