Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57886
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92569 invoked from network); 16 Feb 2012 07:33:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Feb 2012 07:33:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.210.42 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.210.42 mail-pz0-f42.google.com  
Received: from [209.85.210.42] ([209.85.210.42:34126] helo=mail-pz0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B1/D2-48160-E31BC3F4 for <internals@lists.php.net>; Thu, 16 Feb 2012 02:33:19 -0500
Received: by dang27 with SMTP id g27so2014867dan.29
        for <internals@lists.php.net>; Wed, 15 Feb 2012 23:33:15 -0800 (PST)
Received: by 10.68.233.196 with SMTP id ty4mr10583409pbc.99.1329377595857;
        Wed, 15 Feb 2012 23:33:15 -0800 (PST)
Received: from [192.168.200.5] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPS id o7sm13221031pbq.8.2012.02.15.23.33.14
        (version=SSLv3 cipher=OTHER);
        Wed, 15 Feb 2012 23:33:15 -0800 (PST)
Message-ID: <4F3CB139.50400@lerdorf.com>
Date: Wed, 15 Feb 2012 23:33:13 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0
MIME-Version: 1.0
To: J David <j.david.lists@gmail.com>
CC: Ferenc Kovacs <tyra3l@gmail.com>, internals@lists.php.net
References: <4F3A5B70.3020707@co3k.org> <CAH-PCH5Ri0Bgmdn5AxYTFqe5VpWuLb2M0Hfn2OwCKkdEyptQ3A@mail.gmail.com> <CABXB=RSKVP2=w2zdFx7SLkbbBszpc3635_ehjO07=DZTHQ-xQA@mail.gmail.com>
In-Reply-To: <CABXB=RSKVP2=w2zdFx7SLkbbBszpc3635_ehjO07=DZTHQ-xQA@mail.gmail.com>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQnlPYP94qg8pp+GrLI422owKohN/Sv88f96jwEG9xARNFoxmE65jfgBe3mu/GXey7WF9ZcW
Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable
 vulnerability?)
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 02/15/2012 11:24 PM, J David wrote:
> On Tue, Feb 14, 2012 at 8:35 AM, Ferenc Kovacs <tyra3l@gmail.com> wrote:
>> as far as I can see the referenced fix (
>> http://svn.php.net/viewvc?view=revision&revision=323016) never made to the
>> 5.3.10 release (
>> http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3_10/?pathrev=323032&view=log
>> )
> 
> Preface: I am not expert in these matters by any means.
> 
> I happened to do some work with a build of the PHP_5_3 branch that did
> include SVN revision 323016.  With that revision, I observed some
> weird behavior with magic_quotes_gpc coming *on* even if it was
> configured off.
> 
> The specific circumstance was that magic_quotes_gpc was being set to
> off in Apache via php_flag, rather than in the .ini file.  phpinfo()
> reported magic_quotes_gpc as Off/On, but magic quotes behavior started
> happening anyway.  Of course I just moved the configuration to the
> .ini file where it belongs, but this was a change from previous
> behavior prior to that rebuild.  Maybe it was a coincidence, but when
> I saw this discussion, I felt mentioning it was "better safe than
> sorry."

There is lots of weirdness around Apache startup and double module loads
and such that makes the initialization code overly complicated, so it
doesn't surprise me that this change could have some issues. Was this
with Apache1 or 2 you saw this?

-Rasmus