Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57997
Return-Path: <ondrej@sury.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72798 invoked from network); 24 Feb 2012 12:01:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2012 12:01:23 -0000
Authentication-Results: pb1.pair.com header.from=ondrej@sury.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ondrej@sury.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sury.org designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: ondrej@sury.org
X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:65417] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EC/34-37329-11C774F4 for <internals@lists.php.net>; Fri, 24 Feb 2012 07:01:22 -0500
Received: by vcbfk13 with SMTP id fk13so1749349vcb.29
        for <internals@lists.php.net>; Fri, 24 Feb 2012 04:01:19 -0800 (PST)
Received-SPF: pass (google.com: domain of ondrej@sury.org designates 10.220.149.200 as permitted sender) client-ip=10.220.149.200;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of ondrej@sury.org designates 10.220.149.200 as permitted sender) smtp.mail=ondrej@sury.org; dkim=pass header.i=ondrej@sury.org
Received: from mr.google.com ([10.220.149.200])
        by 10.220.149.200 with SMTP id u8mr1171706vcv.35.1330084879400 (num_hops = 1);
        Fri, 24 Feb 2012 04:01:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sury.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type:content-transfer-encoding;
        bh=YAbCWtbiqJJSMrY0XgtrARuUpxaWN2Y43OLXcR+MFsQ=;
        b=IQZ49g9sGHDzDR+kTJJUnY0Vq3b7uVN/3l/ej+cBmVyaaKKb1aXhcN9GoLd34PBHBc
         uBOQCWw2dbnp/EJHFWI8j+C7f7tCeboZExdoGYaKoow4/VV+SrMxXOxhTF7DZEO4M7rW
         6idEFPCsvFr/rHguiJHPK6Sn13IC4KrF16vFw=
Received: by 10.220.149.200 with SMTP id u8mr911085vcv.35.1330084879280; Fri,
 24 Feb 2012 04:01:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.2.21 with HTTP; Fri, 24 Feb 2012 04:00:59 -0800 (PST)
In-Reply-To: <20120216095119.GH5782@nxnw.org>
References: <4F3A5B70.3020707@co3k.org> <CAH-PCH5Ri0Bgmdn5AxYTFqe5VpWuLb2M0Hfn2OwCKkdEyptQ3A@mail.gmail.com>
 <CABXB=RSKVP2=w2zdFx7SLkbbBszpc3635_ehjO07=DZTHQ-xQA@mail.gmail.com>
 <4F3CC90B.5030004@tejimaya.com> <20120216095119.GH5782@nxnw.org>
Date: Fri, 24 Feb 2012 13:00:59 +0100
Message-ID: <CALjhHG8-SpwF4zL-tqFjU=PYnOyF+Rq52HeFL2LY4t7ENkSgzA@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkEXdWLkze+pQ2BKnjjQDkZmk4hOgJPFHZvfRqwH1J/OfXn7oSc5QCV7/TF6lonQNBmDO2K
Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)
From: ondrej@sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=)

Ping, the patch (https://bugs.php.net/bug.php?id=3D61043) is simple and
PHP 5.3-SVN is broken when using magic_quotes_gpc. Please review and
merge.

Thanks,
Ondrej

On Thu, Feb 16, 2012 at 10:51, Steve Beattie <sbeattie@ubuntu.com> wrote:
> Hi Kousuke,
>
> On Thu, Feb 16, 2012 at 06:14:51PM +0900, Kousuke Ebihara wrote:
>>
>> I've also confirmed this behavior in snapshot version of PHP 5.3 (Build =
on Feb 16, 2012 00:30 UTC).
>>
>> I tested my https://gist.github.com/1840714 script.
>>
>> And I've got the following result::
>>
>> =C2=A0 =C2=A0 $ wget -q "http://localhost:8080/phpinfo.php" -O - | grep =
"Loaded Configuration File"
>> =C2=A0 =C2=A0 <tr><td class=3D"e">Loaded Configuration File </td><td cla=
ss=3D"v">/private/tmp/php.ini </td></tr>
>>
>> =C2=A0 =C2=A0 $ cat /private/tmp/php.ini
>> =C2=A0 =C2=A0 magic_quotes_gpc=3DOn
>>
>> =C2=A0 =C2=A0 $ wget -q "http://localhost:8080/cve-2012-0831.php?a=3D'" =
-O -
>> =C2=A0 =C2=A0 PHP Version: 5.3.11-dev
>> =C2=A0 =C2=A0 magic_quotes_gpc: 0
>> =C2=A0 =C2=A0 $_GET['a']: \'
>>
>> I think magic_quotes_gpc is not disabled. All of the PHP C sources might=
 use "PG(magic_quotes_gpc)" to access to that setting value, so that result=
 might not be affected zend_alter_ini_entry_ex().
>>
>> But a result of "ini_get()" uses a setting value after the zend_alter_in=
i_entry_ex() calling, so it reports 0.
>>
>> The above is just my guessing because I'm not an expert of PHP C source =
code but probably it is not bad guessing, I think.
>
> You're seeing the behavior reported by Ond=C5=99ej Sur=C3=BD in
> https://bugs.php.net/bug.php?id=3D61043, where magic_quotes_gpc is
> configured on, but ini_get('magic_quotes_gpc') returns that it's
> disabled, even though magic quoting is still happening.
>
> It would be great to get comments on the patch provided by Ond=C5=99ej
> in the bug report to know if it's the correct fix, and if so, get it
> committed to the 5.3 branch.
>
> Thanks.
>
> --
> Steve Beattie
> <sbeattie@ubuntu.com>
> http://NxNW.org/~steve/



--=20
=EF=BB=BFOnd=C5=99ej Sur=C3=BD <ondrej@sury.org>