Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57889
Return-Path: <sbeattie@ubuntu.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23313 invoked from network); 16 Feb 2012 09:51:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Feb 2012 09:51:59 -0000
Authentication-Results: pb1.pair.com header.from=sbeattie@ubuntu.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=sbeattie@ubuntu.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain ubuntu.com from 208.151.246.43 cause and error)
X-PHP-List-Original-Sender: sbeattie@ubuntu.com
X-Host-Fingerprint: 208.151.246.43 208-151-246-43.dq1sn.easystreet.com  
Received: from [208.151.246.43] ([208.151.246.43:39647] helo=lizaveta.nxnw.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/01-02597-FA1DC3F4 for <internals@lists.php.net>; Thu, 16 Feb 2012 04:51:47 -0500
Received: from kryten.nxnw.org (kryten.nxnw.org [10.19.96.254])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "kryten.int.wirex.com", Issuer "nxnw.org" (not verified))
	by lizaveta.nxnw.org (Postfix) with ESMTPS id 1127FFF00
	for <internals@lists.php.net>; Thu, 16 Feb 2012 01:51:27 -0800 (PST)
Received: by kryten.nxnw.org (Postfix, from userid 1000)
	id D651C142C9D; Thu, 16 Feb 2012 01:51:19 -0800 (PST)
Date: Thu, 16 Feb 2012 01:51:19 -0800
To: internals@lists.php.net
Message-ID: <20120216095119.GH5782@nxnw.org>
References: <4F3A5B70.3020707@co3k.org>
 <CAH-PCH5Ri0Bgmdn5AxYTFqe5VpWuLb2M0Hfn2OwCKkdEyptQ3A@mail.gmail.com>
 <CABXB=RSKVP2=w2zdFx7SLkbbBszpc3635_ehjO07=DZTHQ-xQA@mail.gmail.com>
 <4F3CC90B.5030004@tejimaya.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="mhjHhnbe5PrRcwjY"
Content-Disposition: inline
In-Reply-To: <4F3CC90B.5030004@tejimaya.com>
Organization: North by Northwest Consolidated Industries, LLC
X-Paranoia: Greetings CIA, FBI, MI5, NSA, ATF, Immigration!
X-Message-Flag: Repeal the DMCA! Real security is only possible  when subject
 to open critical review.
X-PGP-Key: http://www.NxNW.org/~steve/005E81F4.txt
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable
 vulnerability?)
From: sbeattie@ubuntu.com (Steve Beattie)

--mhjHhnbe5PrRcwjY
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Kousuke,

On Thu, Feb 16, 2012 at 06:14:51PM +0900, Kousuke Ebihara wrote:
> (12/02/16 16:24), J David wrote:
> > reported magic_quotes_gpc as Off/On, but magic quotes behavior started
> > happening anyway.  Of course I just moved the configuration to the
>=20
> I've also confirmed this behavior in snapshot version of PHP 5.3 (Build o=
n Feb 16, 2012 00:30 UTC).
>=20
> I tested my https://gist.github.com/1840714 script.
>=20
> And I've got the following result::
>=20
>     $ wget -q "http://localhost:8080/phpinfo.php" -O - | grep "Loaded Con=
figuration File"
>     <tr><td class=3D"e">Loaded Configuration File </td><td class=3D"v">/p=
rivate/tmp/php.ini </td></tr>
>    =20
>     $ cat /private/tmp/php.ini
>     magic_quotes_gpc=3DOn
>    =20
>     $ wget -q "http://localhost:8080/cve-2012-0831.php?a=3D'" -O -
>     PHP Version: 5.3.11-dev
>     magic_quotes_gpc: 0
>     $_GET['a']: \'
>=20
> I think magic_quotes_gpc is not disabled. All of the PHP C sources might =
use "PG(magic_quotes_gpc)" to access to that setting value, so that result =
might not be affected zend_alter_ini_entry_ex().
>=20
> But a result of "ini_get()" uses a setting value after the zend_alter_ini=
_entry_ex() calling, so it reports 0.
>=20
> The above is just my guessing because I'm not an expert of PHP C source c=
ode but probably it is not bad guessing, I think.

You're seeing the behavior reported by Ond=C5=99ej Sur=C3=BD in
https://bugs.php.net/bug.php?id=3D61043, where magic_quotes_gpc is
configured on, but ini_get('magic_quotes_gpc') returns that it's
disabled, even though magic quoting is still happening.

That's different from the behavior that J David reported, where he
configured it *off*, but saw magic quoting still happening.

It would be great to get comments on the patch provided by Ond=C5=99ej
in the bug report to know if it's the correct fix, and if so, get it
committed to the 5.3 branch.

Thanks.

--=20
Steve Beattie
<sbeattie@ubuntu.com>
http://NxNW.org/~steve/

--mhjHhnbe5PrRcwjY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPPNGXAAoJEC8Jno0AXoH0rXEP/ikbqo61lgY8wBDGpS/oSlrF
K17Z3oTaA6cy87aOmVesgdF7A2Kz8Wpd9Zx8OxQvqobhrc79M7DT4wKManAWLCxx
xgi/GpTuPRguxsRpK412jodQ+8gMb6S1lil6T6CIQwYU2S8ulJF5NNdPr0vDny2c
c/PMcdciOrC2atFxLFGzYruhWTVgefg8LTrf15ifHkMz/GGXeY1goxTLb/c3R9mP
S1Zmv96+nzyC5RS54mSLzBqpP7NBKrS65VxmPXyCIPbyaRRyACn9hNY+lm+avByi
aJohQFA8kWAKy9NfEPcLHFJl1IG2B0nBR6jjxy+jXDCmXIpcEyxvEosG0m6NrjD8
a0f3dGnSjljbMHwFG2xHgNF64g2QpbqKaVr3pkDrde11uCl94jCbpjfxrpU9mtTI
u/luDNMUh4loBh06voaXmpuCgKzK4fUNBHhuQxSc9WTsyR8fvlz3XPrKzw4q9HuK
LnN7DQmInHORTdHeBzC5+vXW8eaChj9n/ZU0kiGLkCxTYYiNmcVN3FKUd2T2VaUc
Lj4BW+z5Px4qzk0HU80WENk8PKcXA5ONFtNXQhDhOmJ21FrhXitEQAAGSIcrScjZ
PP2BnAY7VMObQMQ/k3y2G8wQj1k+pVwOjLk59U6HjEBCR2YXj8CHfD+NSXFSs2aV
210S5m64g5HlacCzi1jN
=4Zlw
-----END PGP SIGNATURE-----

--mhjHhnbe5PrRcwjY--