Ubuntu
php5 package

PHP should be shipped with magic_quotes_gpc = Off in php.ini

Bug #204479 reported by Daniel Stoyanov
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
php5 (Debian)
Fix Released
Unknown
php5 (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: php5

For the quality of Ubuntu packages, and better development environment (for newcomers to PHP) please set magic_quotes_gpc = Off in the default php.ini shipped with PHP. Magic_quotes mechanism is highly DEPRECATED by all the PHP community and this "feature" will be removed in PHP6.

Thank you in advance.

Revision history for this message
Chuck Short (zulcss) wrote :

A good source of information:

http://www.jimmysworld.org/article.html?aID=59

What do you guys think?

chuck

Changed in php5:
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
Immeëmosol (imme-emosol) wrote :

This seems to me like no issue anymore, since

http://php.net/magic_quotes says:

Warning

This feature has been DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

Revision history for this message
Daniel Stoyanov (dankh) wrote :

Ubuntu ships with version < PHP6, and it's likely that before 8.10 there will be no PHP6, so this is an issue.
I reiterate my point. Novice developers will learn PHP with bad configuration, they won't (or badly) escape variables = create security holes in their applications. Other developers will simply edit php.ini after fresh install.
To fix this bug by yourself it's very easy, but it's Important that Ubuntu offer good packages by default. Why don't fix that ?

Revision history for this message
Savvas Radevic (medigeek) wrote :

"Warning
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged."

This feature will clearly be disabled in the near future.

Bug Watch Updater (bug-watch-updater)
Changed in php5:
status: Unknown → New
Revision history for this message
bmjames (bmjames) wrote :

This configuration encourages bad development practice and in doing so encourages SQL injection vulnerabilities in PHP applications developed on Ubuntu.

magic_quotes_gpc offers no protection against sophisticated injection attacks, and enabling it only serves to give novice developers a false sense of security. Developers who see that it is enabled are less likely to consider using practices that are guaranteed to prevent injection vulnerabilities.

The feature only still exists for legacy compatibility, and enabling it by default is an illogical and dangerous mistake which should be corrected as soon as possible. It is a disservice to the developer community to wait for PHP 6 to fix this problem.

Revision history for this message
Ondřej Surý (ondrej) wrote :

I suggest you all read the discussion in the debian bug before commenting further.

5.3.x will hit unstable soon and it will have it Off by default. In Ubuntu I guess you'll have to wait till development of 9.10 and the merge from unstable will happen again.

Bug Watch Updater (bug-watch-updater)
Changed in php5 (Debian):
status: New → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

This is fixed as well.
Regards
chuck

Changed in php5 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.