FS#11256 - The PHP webserver on aur.archlinux.org has Magic Quotes GPC on; causing wrongly escaped quoting.
Attached to Project:
Arch Linux
Opened by Maarten Billemont (lhunath) - Tuesday, 19 August 2008, 14:30 GMT
Last edited by Dan McGee (toofishes) - Monday, 06 April 2009, 01:46 GMT
Opened by Maarten Billemont (lhunath) - Tuesday, 19 August 2008, 14:30 GMT
Last edited by Dan McGee (toofishes) - Monday, 06 April 2009, 01:46 GMT
|
Details
Description:
The PHP option "Magic Quotes GPC" is enabled on the webserver. This causes all quotes in Get/Post/Cookie submissions to be escaped by backslashes. This is a dumb workaround introduced in old PHP servers as a half-assed attempt to fight SQL and other types of code injection. The result is that if the code is not well written, taking the setting into account and stripping the backslashes again, data written to the database or elsewhere will have these backslashes corrupting the real message. For more information about the configuration setting; refer to: http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc (Notice this setting is DEPRECATED - finally.) The result of this setting and how it corrupts the data in the website's database can be seen on, for example, this page: http://aur.archlinux.org/packages.php?ID=8902 (Notice how all the single and double quotes are escaped with backslashes, completely corrupting the user's suggestion.) Once this setting has been disabled; the database will need to be fixed. The only way to do this is by removing slashes in front of single and double quotes. I wouldn't want to be the one to do it and be responsible for breaking data that hasn't been GPC escaped. But it should be done. |
This task depends upon
Closed by Dan McGee (toofishes)
Monday, 06 April 2009, 01:46 GMT
Reason for closing: Not a bug
Additional comments about closing: Magic quotes isn't enabled.
Monday, 06 April 2009, 01:46 GMT
Reason for closing: Not a bug
Additional comments about closing: Magic quotes isn't enabled.
Comment by Dusty Phillips (Dusty) -
Tuesday, 19 August 2008, 14:59 GMT
- Task reassigned to Simo Leone (neotuli), Dusty Phillips (Dusty)
I have no access to AUR... if Simo doesn't he'll know who does.
Comment by Pierre Schmitz (Pierre) -
Tuesday, 19 August 2008, 15:14 GMT
Maybe we should have a closer look at the php.ini of
archlinux.org. Magic Quotes is really a mess an shouldn't be used.
Comment by Loui Chang (louipc) -
Sunday, 05 April 2009, 19:36 GMT
This bug can be closed. Magic quotes is indeed off.