Hey,
There have been several bug reports about magic_quotes_gpc being
broken, at the moment in 5.2.7 the escaping is not performed even when
enabled. So any applications that attempt to undo the work of
magic_quotes_gpc will end up with problems.
I've backed out the bug that broke this #42718
Since this is a relative serious issue from a security stand point if
people rely on it being enabled and a potential data loss for those
trying to undo it, I'd like to see a release packaged asap.
If Ilia agrees then could fixes to the 5.2 branch be restricted to
build fixes only.
Scott
Scott MacVicar escribió:
Since this is a relative serious issue from a security stand point if
people rely on it being enabled and a potential data loss for those
trying to undo it, I'd like to see a release packaged asap.
Please dont release a new package, but a new php version (5.2.8 or 5.2.7.1)
--
"We have art in order not to die of the truth" - Friedrich Nietzsche
Cristian Rodríguez R.
Platform/OpenSUSE - Core Services
SUSE LINUX Products GmbH
Research & Development
http://www.opensuse.org/
Hello Ilia,
Ilia, this is ultimately your call but I suggest we drop 5.2.7, explain
that people shouldn't use it on php.net news and then provide 5.2.8.
marcus
Saturday, December 6, 2008, 9:35:42 PM, you wrote:
Hey,
There have been several bug reports about magic_quotes_gpc being
broken, at the moment in 5.2.7 the escaping is not performed even when
enabled. So any applications that attempt to undo the work of
magic_quotes_gpc will end up with problems.
I've backed out the bug that broke this #42718
Since this is a relative serious issue from a security stand point if
people rely on it being enabled and a potential data loss for those
trying to undo it, I'd like to see a release packaged asap.
If Ilia agrees then could fixes to the 5.2 branch be restricted to
build fixes only.
Scott
Best regards,
Marcus
I will be re-branching 5.2.7 with this revert for the purpose of 5.2.8
this week. This will allow the normal 5.2 bug fixing to continue as
normal.
Hey,
There have been several bug reports about magic_quotes_gpc being
broken, at the moment in 5.2.7 the escaping is not performed even
when enabled. So any applications that attempt to undo the work of
magic_quotes_gpc will end up with problems.I've backed out the bug that broke this #42718
Since this is a relative serious issue from a security stand point
if people rely on it being enabled and a potential data loss for
those trying to undo it, I'd like to see a release packaged asap.If Ilia agrees then could fixes to the 5.2 branch be restricted to
build fixes only.Scott
Ilia Alshanetsky
Hello Ilia,
brilliant :-)
Sunday, December 7, 2008, 7:16:43 PM, you wrote:
I will be re-branching 5.2.7 with this revert for the purpose of 5.2.8
this week. This will allow the normal 5.2 bug fixing to continue as
normal.
Hey,
There have been several bug reports about magic_quotes_gpc being
broken, at the moment in 5.2.7 the escaping is not performed even
when enabled. So any applications that attempt to undo the work of
magic_quotes_gpc will end up with problems.I've backed out the bug that broke this #42718
Since this is a relative serious issue from a security stand point
if people rely on it being enabled and a potential data loss for
those trying to undo it, I'd like to see a release packaged asap.If Ilia agrees then could fixes to the 5.2 branch be restricted to
build fixes only.Scott
Ilia Alshanetsky
Best regards,
Marcus
Should the 5.3 release be re-branched perhaps as well, since it too
has this problem?
Hello Ilia,
brilliant :-)
Sunday, December 7, 2008, 7:16:43 PM, you wrote:
I will be re-branching 5.2.7 with this revert for the purpose of
5.2.8
this week. This will allow the normal 5.2 bug fixing to continue as
normal.Hey,
There have been several bug reports about magic_quotes_gpc being
broken, at the moment in 5.2.7 the escaping is not performed even
when enabled. So any applications that attempt to undo the work of
magic_quotes_gpc will end up with problems.I've backed out the bug that broke this #42718
Since this is a relative serious issue from a security stand point
if people rely on it being enabled and a potential data loss for
those trying to undo it, I'd like to see a release packaged asap.If Ilia agrees then could fixes to the 5.2 branch be restricted to
build fixes only.Scott
Ilia Alshanetsky
Best regards,
Marcus
Ilia Alshanetsky
hi,
Should the 5.3 release be re-branched perhaps as well, since it too has this
problem?
I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still relies
on magic quotes gpc is likely to have more issues as well.
Cheers,
Pierre
hi,
Should the 5.3 release be re-branched perhaps as well, since it too has this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still relies
on magic quotes gpc is likely to have more issues as well.
Time to turn it off by default then?
-Hannes
On Mon, Dec 8, 2008 at 4:06 PM, Hannes Magnusson
hannes.magnusson@gmail.com wrote:
hi,
Should the 5.3 release be re-branched perhaps as well, since it too has this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still relies
on magic quotes gpc is likely to have more issues as well.Time to turn it off by default then?
I would even like to drop it (and the other things as well) in 5.3.0 :)
--
Pierre
On Mon, Dec 8, 2008 at 4:06 PM, Hannes Magnusson
hannes.magnusson@gmail.com wrote:On Mon, Dec 8, 2008 at 15:24, Pierre Joye pierre.php@gmail.com
wrote:hi,
On Mon, Dec 8, 2008 at 3:15 PM, Ilia Alshanetsky
ilia@prohost.org wrote:Should the 5.3 release be re-branched perhaps as well, since it
too has this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still
relies
on magic quotes gpc is likely to have more issues as well.Time to turn it off by default then?
I would even like to drop it (and the other things as well) in
5.3.0 :)
the drop was planned for 6.0 for a reason.
i also do not think we need to make a 5.3 release just for this.
lets focus on getting feedback on namespaces and the other changes and
have this fixed on beta1 early 2009.
regards,
Lukas Kahwe Smith
mls@pooteeweet.org
On Mon, Dec 8, 2008 at 4:06 PM, Hannes Magnusson
hannes.magnusson@gmail.com wrote:On Mon, Dec 8, 2008 at 15:24, Pierre Joye pierre.php@gmail.com
wrote:hi,
On Mon, Dec 8, 2008 at 3:15 PM, Ilia Alshanetsky
ilia@prohost.org wrote:Should the 5.3 release be re-branched perhaps as well, since it
too has this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still
relies
on magic quotes gpc is likely to have more issues as well.Time to turn it off by default then?
I would even like to drop it (and the other things as well) in
5.3.0 :)
the drop was planned for 6.0 for a reason.
i also do not think we need to make a 5.3 release just for this.
lets focus on getting feedback on namespaces and the other changes and
have this fixed on beta1 early 2009.
regards,
Lukas Kahwe Smith
mls@pooteeweet.org
2008/12/8 Pierre Joye pierre.php@gmail.com:
On Mon, Dec 8, 2008 at 4:06 PM, Hannes Magnusson
hannes.magnusson@gmail.com wrote:hi,
Should the 5.3 release be re-branched perhaps as well, since it too has this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still relies
on magic quotes gpc is likely to have more issues as well.Time to turn it off by default then?
I would even like to drop it (and the other things as well) in 5.3.0 :)
I'll like to see it dropped aswell, seems like a bad legacy just keep
BC and in the end hurts us more (like just seen with 5.2.7)
--
Kalle Sommer Nielsen
Hello Pierre,
Monday, December 8, 2008, 4:08:49 PM, you wrote:
On Mon, Dec 8, 2008 at 4:06 PM, Hannes Magnusson
hannes.magnusson@gmail.com wrote:hi,
Should the 5.3 release be re-branched perhaps as well, since it too has this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still relies
on magic quotes gpc is likely to have more issues as well.Time to turn it off by default then?
I would even like to drop it (and the other things as well) in 5.3.0 :)
+1
Best regards,
Marcus
Pierre Joye escribió:
I would even like to drop it (and the other things as well) in 5.3.0 :)
Yes, please :) but throw an error when use is detected.
--
"We have art in order not to die of the truth" - Friedrich Nietzsche
Cristian Rodríguez R.
Platform/OpenSUSE - Core Services
SUSE LINUX Products GmbH
Research & Development
http://www.opensuse.org/
On Mon, Dec 8, 2008 at 4:06 PM, Hannes Magnusson
hannes.magnusson@gmail.com wrote:On Mon, Dec 8, 2008 at 15:24, Pierre Joye pierre.php@gmail.com
wrote:hi,
On Mon, Dec 8, 2008 at 3:15 PM, Ilia Alshanetsky
ilia@prohost.org wrote:Should the 5.3 release be re-branched perhaps as well, since it
too has this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still
relies
on magic quotes gpc is likely to have more issues as well.Time to turn it off by default then?
I would even like to drop it (and the other things as well) in
5.3.0 :)
the drop was planned for 6.0 for a reason.
i also do not think we need to make a 5.3 release just for this.
lets focus on getting feedback on namespaces and the other changes and
have this fixed on beta1 early 2009.
adding an E_DEPRECATE (actually i guess we should check the PHP6 NEWS
file for other stuff as well), does make sense.
disabling by default (if not yet done) too.
regards,
Lukas Kahwe Smith
mls@pooteeweet.org
Mon, Dec 8, 2008 at 1:40 PM, Lukas Kahwe Smith mls@pooteeweet.org wrote:
the drop was planned for 6.0 for a reason.
i also do not think we need to make a 5.3 release just for this.
lets focus on getting feedback on namespaces and the other changes and have
this fixed on beta1 early 2009.adding an E_DEPRECATE (actually i guess we should check the PHP6 NEWS file
for other stuff as well), does make sense.
disabling by default (if not yet done) too.
agreed.
for php6, disable by default, add in a warning (that is higher than
E_NOTICE? so people see it)
for php5, keep business as usual. i don't think many people would
think that 5.2 -> 5.3 would disable/remove such a major thing. if
anything, add in an E_NOTICE perhaps saying "magic quotes is
active/enabled, PHP 6 will be disabling this, now is time to start
fixing the code"
while i would love to see it go, i think that is too drastic for a
"minor" version. PHP 6 will be totally different already so backwards
compatibility isn't as important. changes will most likely be required
at that point.
- $0.02
Mon, Dec 8, 2008 at 1:40 PM, Lukas Kahwe Smith mls@pooteeweet.org wrote:
the drop was planned for 6.0 for a reason.
i also do not think we need to make a 5.3 release just for this.
lets focus on getting feedback on namespaces and the other changes and have
this fixed on beta1 early 2009.adding an E_DEPRECATE (actually i guess we should check the PHP6 NEWS file
for other stuff as well), does make sense.
disabling by default (if not yet done) too.agreed.
for php6, disable by default, add in a warning (that is higher than
E_NOTICE? so people see it)for php5, keep business as usual. i don't think many people would
think that 5.2 -> 5.3 would disable/remove such a major thing. if
anything, add in anE_NOTICEperhaps saying "magic quotes is
active/enabled, PHP 6 will be disabling this, now is time to start
fixing the code"while i would love to see it go, i think that is too drastic for a
"minor" version. PHP 6 will be totally different already so backwards
compatibility isn't as important. changes will most likely be required
at that point.
note to all: Can you read all replies before any other
answers/votes/comments please? thanks :)
tip: it is already removed from php6
Cheers,
Pierre
On Mon, Dec 8, 2008 at 4:06 PM, Hannes Magnusson
hannes.magnusson@gmail.com wrote:hi,
On Mon, Dec 8, 2008 at 3:15 PM, Ilia Alshanetsky ilia@prohost.org
wrote:Should the 5.3 release be re-branched perhaps as well, since it too has
this
problem?I do not think it is necessary for 5.3. It is an alpha release after
all and seriously, anyone who plans to move to 5.3.0 and still relies
on magic quotes gpc is likely to have more issues as well.Time to turn it off by default then?
I would even like to drop it (and the other things as well) in 5.3.0 :)
the drop was planned for 6.0 for a reason.
i also do not think we need to make a 5.3 release just for this.
lets focus on getting feedback on namespaces and the other changes and have
this fixed on beta1 early 2009.adding an E_DEPRECATE (actually i guess we should check the PHP6 NEWS file
for other stuff as well), does make sense.
disabling by default (if not yet done) too.
Removed stuff (in 6) disabled by default and throws E_DEPRECATED when activated.
set_magic_quotes_runtime() and its evil twin magic_quotes_runtime()
already use PHP_DEP_FE/_FALIAS.
The getters (get_magic_quotes_gpc() and get_magic_quotes_runtime())
should IMO not spew E_DEPRECATED warnings (and they do not currently,
nor after the patch above).
Any objections?
-Hannes
Should the 5.3 release be re-branched perhaps as well, since it too
has this problem?
The 5.3 alpha release is hopefully not used in production by anybody so
I don't think it's critical there. Maybe it motivates somebody to think
about magic_quotes then it's even a good thing ;-)
I'd prefer having a beta soon, though.
johannes
In the meantime shouldn't this be posted on php.net?
Uninformed people are thinking that 5.2.7 is good to go.
I will be re-branching 5.2.7 with this revert for the purpose of 5.2.8 this
week. This will allow the normal 5.2 bug fixing to continue as normal.Hey,
There have been several bug reports about magic_quotes_gpc being broken,
at the moment in 5.2.7 the escaping is not performed even when enabled. So
any applications that attempt to undo the work of magic_quotes_gpc will end
up with problems.I've backed out the bug that broke this #42718
Since this is a relative serious issue from a security stand point if
people rely on it being enabled and a potential data loss for those trying
to undo it, I'd like to see a release packaged asap.If Ilia agrees then could fixes to the 5.2 branch be restricted to build
fixes only.Scott
Ilia Alshanetsky