Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57888
Return-Path: <ebihara@tejimaya.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14921 invoked from network); 16 Feb 2012 09:14:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Feb 2012 09:14:59 -0000
Authentication-Results: pb1.pair.com header.from=ebihara@tejimaya.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ebihara@tejimaya.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain tejimaya.com designates 209.85.210.42 as permitted sender)
X-PHP-List-Original-Sender: ebihara@tejimaya.com
X-Host-Fingerprint: 209.85.210.42 mail-pz0-f42.google.com  
Received: from [209.85.210.42] ([209.85.210.42:42521] helo=mail-pz0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E1/70-02597-219CC3F4 for <internals@lists.php.net>; Thu, 16 Feb 2012 04:14:58 -0500
Received: by dang27 with SMTP id g27so2107897dan.29
        for <internals@lists.php.net>; Thu, 16 Feb 2012 01:14:55 -0800 (PST)
Received: by 10.68.218.228 with SMTP id pj4mr6122336pbc.167.1329383695705;
        Thu, 16 Feb 2012 01:14:55 -0800 (PST)
Received: from ebiten.local (203.143.101.162.static.zoot.jp. [203.143.101.162])
        by mx.google.com with ESMTPS id m5sm1858449pbo.69.2012.02.16.01.14.52
        (version=SSLv3 cipher=OTHER);
        Thu, 16 Feb 2012 01:14:54 -0800 (PST)
Message-ID: <4F3CC90B.5030004@tejimaya.com>
Date: Thu, 16 Feb 2012 18:14:51 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120126 Thunderbird/11.0a2
MIME-Version: 1.0
To: internals@lists.php.net
References: <4F3A5B70.3020707@co3k.org> <CAH-PCH5Ri0Bgmdn5AxYTFqe5VpWuLb2M0Hfn2OwCKkdEyptQ3A@mail.gmail.com> <CABXB=RSKVP2=w2zdFx7SLkbbBszpc3635_ehjO07=DZTHQ-xQA@mail.gmail.com>
In-Reply-To: <CABXB=RSKVP2=w2zdFx7SLkbbBszpc3635_ehjO07=DZTHQ-xQA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQlWoCzy0XN8blVFKyy/v+cjwa5qJBk5xC8Vl1JcmF02ihLAA7MXZB/3bflwdGiInq5dWwC0
Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable
 vulnerability?)
From: ebihara@tejimaya.com (Kousuke Ebihara)

(12/02/16 16:24), J David wrote:
> reported magic_quotes_gpc as Off/On, but magic quotes behavior started
> happening anyway.  Of course I just moved the configuration to the

I've also confirmed this behavior in snapshot version of PHP 5.3 (Build on Feb 16, 2012 00:30 UTC).

I tested my https://gist.github.com/1840714 script.

And I've got the following result::

    $ wget -q "http://localhost:8080/phpinfo.php" -O - | grep "Loaded Configuration File"
    <tr><td class="e">Loaded Configuration File </td><td class="v">/private/tmp/php.ini </td></tr>
    
    $ cat /private/tmp/php.ini
    magic_quotes_gpc=On
    
    $ wget -q "http://localhost:8080/cve-2012-0831.php?a='" -O -
    PHP Version: 5.3.11-dev
    magic_quotes_gpc: 0
    $_GET['a']: \'

I think magic_quotes_gpc is not disabled. All of the PHP C sources might use "PG(magic_quotes_gpc)" to access to that setting value, so that result might not be affected zend_alter_ini_entry_ex().

But a result of "ini_get()" uses a setting value after the zend_alter_ini_entry_ex() calling, so it reports 0.

The above is just my guessing because I'm not an expert of PHP C source code but probably it is not bad guessing, I think.

-- 
Kousuke Ebihara
ebihara@tejimaya.com