php5 5.3.2-1ubuntu4.13 introduced regression in magic_quotes_gpc

Status changed to 'Confirmed' because the bug affects multiple users.

Forwarded to https://bugs.php.net/bug.php?id=61043 with patch.

(Fortunatelly it's the Ubuntu today which needs to bite the bullet, since I haven't uploaded Debian security update yet. ;)

I am building Debian package with updated patch and will report back. Thanks for the test script.

Thanks for your report. I confirm the change of behavior. This was probably introduced in this change:

php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low

[...]
  * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
    - debian/patches/php5-CVE-2012-0831.patch: always restore
      magic_quote_gpc on request shutdown
    - CVE-2012-0831

The patch attached to PHP bug report fixes your problem:

root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php -c /tmp/php.ini -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "1"
root@howl:/tmp# grep ^magic_quotes_gpc /tmp/php.ini
magic_quotes_gpc = On
root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php -c /tmp/php.ini -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "1"
root@howl:/tmp# emacs php.ini
root@howl:/tmp# grep ^magic_quotes_gpc /tmp/php.ini
magic_quotes_gpc = Off
root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php -c /tmp/php.ini -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(0) ""

Ondřej, thanks for diagnosing this issue! I'll review and incorporate your patch and release a regression fix for this shortly after testing locally.

Thanks and my apologies for introducing this regression.

The PHP-version in Hardy Heron (8.04) also has the same behaviour. (version 5.2.4-2ubuntu5.22) This broke some of the websites hosted on my severs that relied on magic_quotes_gpc detection with ini_get('magic_quotes_gpc') . This always returns 0 now, even when magic_quotes_gpc switchec On in php.ini or .htaccess.

Well, it affects all versions which got that security report (i.e. all supported).

As far as I understand this bug, the magic_quotes are actually set to the correct value, it's just the ini_get() which reports wrong value.

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.14

---------------
php5 (5.3.2-1ubuntu4.14) lucid-security; urgency=low

  * debian/patches/php5-CVE-2012-0831-regression.patch: fix
    magic_quotes_gpc ini setting regression introduced by patch for
    CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)
 -- Steve Beattie <email address hidden> Fri, 10 Feb 2012 15:07:08 -0800

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.23

---------------
php5 (5.2.4-2ubuntu5.23) hardy-security; urgency=low

  * debian/patches/php5-CVE-2012-0831-regression.patch: fix
    magic_quotes_gpc ini setting regression introduced by patch for
    CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)
 -- Steve Beattie <email address hidden> Fri, 10 Feb 2012 15:34:36 -0800

Yes, as Ondřej said, all supported releases were affected and the issue was that ini_get('magic_quotes_gpc') was returning the wrong value, magic_quotes_gpc would still get set correctly. Also, get_magic_quotes_gpc() returned the correct value, too.

Fixes for all releases have gone out as http://www.ubuntu.com/usn/usn-1358-2/. Thanks for your patience.

I've posted in php-internals list about this topic: http://marc.info/?l=php-internals&m=132922462700684&w=2

Please tell me answers to some questions.