Closed Thread Icon

Topic awaiting preservation: Magic Quotes Issue (Page 1 of 1) Pages that link to <a href="http://ozoneasylum.com/backlink?for=13104" title="Pages that link to Topic awaiting preservation: Magic Quotes Issue (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Magic Quotes Issue <span class="small">(Page 1 of 1)</span>\

 
Wes
Paranoid (IV) Mad Scientist

From: Inside THE BOX
Insane since: May 2000

posted posted 03-23-2004 22:02

So, I recently discovered that every time I attempt a search containing an apostrophe in my installation of Gallery, the apostrophe gets prefixed with a backslash.

Searching for world's largest results in a search for world\'s largest, which yields nothing. Of course, that makes my upcoming stock-photo gallery useless.

I've done a lot of frustrating research and I've determined it to be a problem with magic quotes being on. I've attempted to turn them off in my .htaccess file using magic_quotes_gpc = off, but it will only work if I remove AddType php-cgi .php. However, I can't remove that because Gallery won't work without it.

Someone posted in the Gallery discussion forum that he added ini_set(magic_quotes_gpc, 0); to every php file (not knowing which ones needed it) and it worked. But I'm hoping there's a less drastic solution.

I've written DreamHost about the issue, but I don't hold out much hope, because as I understand it, they've disabled such custom php directives in .htaccess while PHP-CGI is enabled.

Anyone have any other ideas?

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 03-23-2004 22:42

Well I'd just try adding that to the top of the file called search.php

(Note I'm not a gallery user but that's the page it seems to call)



.:[ Never resist a perfect moment ]:.

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 03-23-2004 23:02

actually, I feel you're all confused.

Magic quotes often are an issue - but they should not be here.

So you have 'world's largest' in the sql database.
User types 'world's largest' - your script then creates a query that reads like "select ... where something like '%world\'s largest%'" - see where that \ saves your but from a nasty scripting attack?
Now, the mysqldatabas parses this - discovers the \ in front of the ' and removes it, so you should still be finding everything.

Except of course, that world's largest isn't actually world's largest *in your database* - in which case we have a different problem entirly.

now, if you were looking for a security hole opening quick fix, adust the the function below to call stripslashes instea of the whole trim(addslashes(stripslashes(htmlentities thing and call it for each incoming array (__GET,_POST,HTTP_GET_VARS...). You'll probaly also want to remove the unseting of the variables in $GLOBAL - registered globals *are* a security risk, but I doubt gallery will be able to work without them.
Please note, the function below doesn't take magic_quotes_gpc (get/post/cookies!) specifically into account. It could, but so far no grail has needed it.

code:
function _g_SecureArray(&$array,$bIsFirstLevel = true)
{
foreach ($array as $aKey => $aVar)
{
if (is_array($aVar))
{
_g_SecureArray($array[$aKey],false);
}
else
{
$aVar = trim(addslashes(stripslashes(htmlentities($aVar,ENT_QUOTES))));
$aVar = str_replace(array('<','>'),array('<','>'),$aVar);
$array[$aKey] = $aVar;
if ($bIsFirstLevel)
unset($GLOBALS[$aKey]);

}
}
}



so long,

Tyberius Prime

Wes
Paranoid (IV) Mad Scientist

From: Inside THE BOX
Insane since: May 2000

posted posted 03-26-2004 01:14

Unfortunately, adding ini_set(magic_quotes_gpc, 0); to search.php did squat. In fact, I tried creating a file with ...

code:
<?php 
ini_set(magic_quotes_gpc, 0);
phpinfo()
?>


... and it still reports them as on.

Now, TP - sorry, but you've lost me entirely. First, I don't believe Gallery uses MySQL at all. Everything appears to be stored in flat files and those files do contain exactly the phrase "world's largest."

Additionally, magic quotes cause minor problems elsewhere -- adding album names with apostrophes, for instance, though those are easily fixed with renaming. Magic quotes, I believe, are the culprit with the search function as well.

I've uploaded search.php as a text file here if anyone would like to look at it ... and possibly, if you are so kind, help me to figure out this problem. My php is knowledge is very weak, but I'm desperate to fix this search problem because it can be a huge deal to potential licensing opportunities.

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted posted 03-26-2004 02:07

I beleive the issue lies in here -

quote:
$searchstring = escapeEregChars ($searchstring);
$searchstring = str_replace ("\\*", ".*", $searchstring);



The PHP is escaping the apostrophe with a slash, which in many cases it should.

Perhaps this is a situation for stripslashes. I am not well enough versed to know how that will affect other things in gallery however...



[This message has been edited by DL-44 (edited 03-26-2004).]

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 03-26-2004 09:15

a) magicq quotes for get,post,cookies (or gpc ) happpen before php executes your script. There's nothing you can do about that.

b) if you're not using a database, calling stripslashes() at the search term might just be the fix you need. Give it a try. (or, call add slashes within the search comparison routine... and do it the other way around. Though that's gonna need more cpu time).

Wes
Paranoid (IV) Mad Scientist

From: Inside THE BOX
Insane since: May 2000

posted posted 03-27-2004 01:39

OK, so I did some searching on stripslashes and I finally came up with a couple of posts from guys who had the same issue of not being able to turn off magic quotes.

The first hack didn't work. Well, it did fix magic quotes but caused some other crazy errors.

The second appears to work and fixes the problem globally; even adding album with names containing apostrophes is no longer a problem. I added this to the file init.php ...

code:
if (get_magic_quotes_gpc()) { 
$posted_keys = implode(',', array_keys($_POST));
$get_keys = implode(',', array_keys($_GET));

if ($posted_keys &#0124; &#0124; $get_keys) {

// Will stripslashes if magic_quotes_gpc is on.
// Pass the NAMEs of the variables, not the value
// e.g. stripSlashesGpc('my_var', 'my_array')
// NOT stripSlashesGpc($my_var, $my_array)
function stripSlashesGpc()
{
if (!get_magic_quotes_gpc()) {
return;
}
$args = func_get_args();
foreach ($args as $var_name) {
// var_name might be an array element.
// Globalize up to the first "["
if ($b_pos = strpos($var_name, '[')) {
$global_var_name = substr($var_name, 0, $b_pos);
}
else {
$global_var_name = $var_name;
}
global $$global_var_name;
// Need to use eval in case its an array element
eval("\$var_value = \$$var_name;");
if (is_array($var_value)) {
foreach ($var_value as $key => $val) {
$key = str_replace('"', '\"', $key);
$array_element = $var_name . '["' . $key . '"]';
stripSlashesGpc($array_element);
}
}
else {
// Need to use eval in case its an array element
eval("\$$var_name = stripslashes(\$var_value);");
}
}
} // End stripSlashesGpc

// enclose each key name in quotes,
// or php might die if a var is the same name as a constant
function quoteCommaDeliminatedList($list)
{
return "'" . str_replace(',', "','", $list) . "'";
}

if ($posted_keys) {
$posted_keys = quoteCommaDeliminatedList($posted_keys);
eval("stripSlashesGpc($posted_keys);");
}
if ($get_keys) {
$get_keys = quoteCommaDeliminatedList($get_keys);
eval("stripSlashesGpc($get_keys);");
}
}
}


It's rather lengthy and I don't understand it, but it seems to work.

Incidentally, if someone else happens on this topic while searching for a fix, you can find the original post here.

Now, no one replied to this apparent genius's post, so I don't know if this hack causes unseen problems somewhere else. If anyone sees anything in here that could be disastrous, please let me know.


Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 03-27-2004 09:28
quote:
eval("\$var_value = \$$var_name;");



I'd bet even money I can turn this into a full blown security hole.

try replacing that piece at least with

code:
$var_value = ${$var_name};


that should be doing the same in almost all cases, and all the other cases are attacks.

Wes
Paranoid (IV) Mad Scientist

From: Inside THE BOX
Insane since: May 2000

posted posted 03-27-2004 18:31

Done, thanks!

I just hope you were fixing one and not creating one.


« BackwardsOnwards »

Show Forum Drop Down Menu