Bug 65158 - magic_quotes_gpc is evil
Summary: magic_quotes_gpc is evil
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2002-05-18 19:33 UTC by kop
Modified: 2007-04-18 16:42 UTC (History)
1 user (show)

Fixed In Version: 4.3.4-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-05 12:37:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
PHP script showing pathological behavior when magic_qutoes_gpc is on (1.33 KB, text/php)
2002-05-18 19:35 UTC, kop
no flags Details

Description kop 2002-05-18 19:33:05 UTC
The php configuration directive magic_quotes_gpc should be off by default.
It is on in RH 7.2.

When it's on, it breaks the use of the standard web programming idiom
where, when you find a problem with the users entered data,
you redisplay the form with the data as the user entered it
and allow corrections.  Extra characters get stuck in the user's data
and as the data is "corrected" automaticlly by magic_quotes_gpc.
The user may not notice that his data has been altered, and may
re-submit the form with the incorrect data.  Worse, the more times
the user refreshes the form, the more the altered crud proliferates.

See attached php script (foo.php) for an example.

I marked this with a "security" severity, as the magic_quotes_gpc
"feature" seems to be designed so that when the data comes back
from the user you can pass it to a shell script, one variable per
shell argument.  So, turning off magic_quotes_gpc _could_ introduce 
security vulnerabilites in existing scripts as a shell program may see extra
arguments.  However, there are many ways to "fool" the shell
into security vulnerabilies that magic_quotes_gpc does not address
(see escapeshellcmd() for example.)  

In general it's stupid to have
a host-wide configuration directive that magically mungs your data,
as if you don't want the data munged it's hard to un-mung it in your
script.  Whereas it's easy to script the munging done by magic_quotes_gpc.

It took me hours to figure out what was causing the problems exhibited by
the attached foo.php script.  How stupid!

Comment 1 kop 2002-05-18 19:35:30 UTC
Created attachment 57864 [details]
PHP script showing pathological behavior when magic_qutoes_gpc is on

Comment 2 Phil Copeland 2002-06-04 19:54:32 UTC
From the manual:
magic_quotes_gpc  boolean

Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and
NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also
on, a single-quote is escaped with a single-quote instead of a backslash.

Well, magic_quotes_gpc can also be turned off and on from inside the php script.
(From an except on the php.net site)

"...Setting MagicQuotes off needs ini_set("magic_quotes_gpc",0); to
be called, too, because even if it has no effect to anything done, you
need it because otherwise other scripts you use dont know that magicquotes
are off and may strip slashes again or may not add_slashes when useing sql
or echoing javascript. So the real code would be:

if (get_magic_quotes_gpc()) {
  // Overrides GPC variables
  for (reset($HTTP_GET_VARS); list($k, $v) = each($HTTP_GET_VARS); )
    $$k = $HTTP_GET_VARS[$k] = stripslashes($v);
  for (reset($HTTP_POST_VARS); list($k, $v) = each($HTTP_POST_VARS); )
    $$k = $HTTP_POST_VARS[$k] = stripslashes($v);
  for (reset($HTTP_COOKIE_VARS); list($k, $v) = each($HTTP_COOKIE_VARS); )
    $$k = $HTTP_COOKIE_VARS[$k] = stripslashes($v);


I'm going to ask our security folks to give a ruling on leaving it on or off

Comment 3 Phil Copeland 2002-06-04 21:03:24 UTC
To be left on
But at least you can tweak the value on or off inside a script if need be


Comment 4 kop 2002-06-05 14:41:31 UTC
According to my documentation (function.ini-set.html), magic_quotes_gpc cannot
be changed from within a script.  It can only be changed from .htaccess or the
system config.  (This makes sense, given what it does.)

(Note: Any patch that changes the global config should also change the ini_set()
documentation page.  I'm going to re-open this bug just to be sure you see this
comment as you'll be changing short_open_tags.)

Magic_quotes_gpc dosen't appear to be designed as a security feature, rather
it's a convenience feature if your database happens to be using a particular
quoting convention.  The nasty aspect of it is that it moves php away from being
a nice general purpose system and customizes it for a particular sort of
application.  There's plenty of things you could do to make php "easy". 
Automaticlly running htmlentities() on all incoming data would eliminate the
cross-site scripting vulnerability.  It's very likely that data coming from the
user is inserted into html more often than it goes anywhere else.  Yet, this
would be a bad idea for the same reason magic_quotes_gpc is a bad idea, it's one
more thing that needs working around.  (The above 10 lines of code in every
script.)  It's not bad that magic_quotes_gpc exists, but it's bad that the
system comes "custom purposed" rather than "general purpose."

You might want to consider this issue again when the Redhat major release
changes, as altering this setting will break backwards compatibility.
(Come to think of it, you might want to wait to change the "short_open_tag"
setting for the same reason.)

Comment 5 Joe Orton 2004-04-05 12:37:28 UTC
Thanks for the report.  magic_quotes_gpc is now set to Off by default
for Fedora Core 2 and later, along with other changes per bug 97765.

Note You need to log in before you can comment on or make changes to this bug.