Ticket #953 (closed task: fixed)

Opened 3 years ago

Last modified 2 years ago

Change magic_quotes_gpc handling to require PHP 5.2.8 and use the fixes introduced there

Reported by: david Owned by: david
Priority: high Milestone: 0.11.6
Component: request Version: 0.11.5
Severity: normal Keywords:
Cc: Patch attached: no

Description (last modified by david) (diff)

There is a problem with $_FILES in PHP <5.2.7 where the tmp_name index does not have its parent or children magic_quoted ( http://bugs.php.net/bug.php?id=46313)

This in itself is no problem, but a problem occurs in combination with backslashes in the field names:

  • <input type="file" name="f'oo" />
    results in
    array("f'oo" => array("tmp_name" => "..."))
  • <input type="file" name="f'o\o" />
    results in
    array("f'o\o" => array("tmp_name" => "..."))
  • <input type="file" name="f\'oo" />
    results in
    array("f'oo" => array("tmp_name" => "..."))

Spot the difference? The backslash in front of the quote is eaten, but only for the tmp_name index; other entries are fine:

  • <input type="file" name="f'oo" />
    results in
    array("f\'oo" => array("name" => "...", 'size' => '...', ...))
  • <input type="file" name="f'o\o" />
    results in
    array("f'o\\o" => array("name" => "...", 'size' => '...', ...))
  • <input type="file" name="f\'oo" />
    results in
    array("f\\\'oo" => array("name" => "...", 'size' => '...', ...))

(those, of course, have magic quotes applied, as it's only broken for tmp_name)

The problem is that it makes reliable cleanup impossible as the names can potentially ambiguous.

Now consider a situation where a user has a lot of <input type="file" name="images[]" /> in his document, simply looping over them in his action, with validators ensuring that files are images not bigger than 100kB. If we attempted cleanups that guessed names with magic_quotes_gpc and blackslashes, an attacker could potentially use that behavior to inject a file by relying on our "guessing" behavior that could lead to tmp_name entries linked to the wrong files.

Also, magic quotes are a f*ing b*tch to deal with, and we just cannot be bothered anymore.

Hence, we'll now throw an exception if magic quotes are on and PHP < 5.2.8 is installed. This also makes tickets #944 and #945 redundant. We can simply throw out any special version checks and workarounds and rely on PHP, finally, after ten-or-so-years, applying magic_quotes_gpc to input data properly.

And no, this is not the bug that resulted in PHP 5.2.7 being pulled from distribution. Those are not related. We're still mandating 5.2.8, as 5.2.7 shouldn't be out there anyway.

Change History

Changed 3 years ago by david

(In [3416]) backing out [3396] in preparation for proper cleanup, refs #944, #953 and #945

Changed 3 years ago by david

  • status changed from new to assigned

Changed 3 years ago by david

  • description modified (diff)
  • summary changed from Change magic_quotes_gpc handling to require 5.2.7 and use the fixes introduced there to Change magic_quotes_gpc handling to require PHP 5.2.8 and use the fixes introduced there

Changed 3 years ago by david

  • status changed from assigned to closed
  • resolution set to fixed

(In [3417]) Changed magic_quotes_gpc handling to require PHP 5.2.8 and use the fixes introduced there, closes #953

Changed 3 years ago by impl

(In [3444]) Reword exception message for [3417], refs #953

Note: See TracTickets for help on using tickets.