Debian Bug report logs - #512037
php5-cgi: magic_quotes_gpc = On

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Olaf van der Spek <OlafvdSpek@GMail.Com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5-cgi: magic_quotes_gpc = On

Date: Fri, 16 Jan 2009 17:41:57 +0100

Package: php5-cgi
Version: 5.2.0-8+etch13
Severity: important

Hi,

http://nl3.php.net/magic_quotes
> This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

I don't think Debian should ship PHP with this feature enabled.

Greetings

Olaf

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages php5-cgi depends on:
ii  lib 1.0.3-6                              high-quality block-sorting file co
ii  lib 2.3.6.ds1-13etch8                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 4.4.20-8                             Berkeley v4.4 Database Libraries [
ii  lib 1.4.4-7etch6                         MIT Kerberos runtime libraries
ii  lib 4.17-5etch3                          File type determination library us
ii  lib 6.7+7.4-4                            Perl 5 Compatible Regular Expressi
ii  lib 0.9.8c-4etch4                        SSL shared libraries
ii  lib 2.6.27.dfsg-6                        GNOME XML library
ii  mim 3.39-1                               MIME files 'mime.types' & 'mailcap
ii  php 5.2.0-8+etch13                       Common files for packages built fr
ii  ucf 2.0020                               Update Configuration File: preserv
ii  zli 1:1.2.3-13                           compression library - runtime

php5-cgi recommends no packages.

-- no debconf information

Message #10 received at 512037@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Olaf van der Spek <OlafvdSpek@GMail.Com>, 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Fri, 16 Jan 2009 20:19:37 +0100

[Message part 1 (text/plain, inline)]

hi olaf,

On Fri, Jan 16, 2009 at 05:41:57PM +0100, Olaf van der Spek wrote:
> Package: php5-cgi
> Version: 5.2.0-8+etch13
> Severity: important

i don't disagree that we should follow suit in deprecating it, and i'm
even supportive of the idea of preemptively deprecating it before 5.3.0
is out, though i'm not sure it warrants "important" severity...

> http://nl3.php.net/magic_quotes
> > This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
 
> I don't think Debian should ship PHP with this feature enabled.

i agree, though i would vote to wait until the dust settles with respect to
changes for the sid/lenny stuff.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 512037@bugs.debian.org (full text, mbox, reply):

From: "Olaf van der Spek" <olafvdspek@gmail.com>

To: "sean finney" <seanius@debian.org>

Cc: 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Fri, 16 Jan 2009 20:27:21 +0100

Hi,

On Fri, Jan 16, 2009 at 8:19 PM, sean finney <seanius@debian.org> wrote:
> i don't disagree that we should follow suit in deprecating it, and i'm
> even supportive of the idea of preemptively deprecating it before 5.3.0
> is out, though i'm not sure it warrants "important" severity...

AFAIK the upstream default has been off for ages. The Debian default is on.
That's why I made it important.

>> http://nl3.php.net/magic_quotes
>> > This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
>
>> I don't think Debian should ship PHP with this feature enabled.
>
> i agree, though i would vote to wait until the dust settles with respect to
> changes for the sid/lenny stuff.

Hmm.

Message #20 received at 512037@bugs.debian.org (full text, mbox, reply):

From: "Raphael Geissert" <atomo64+debian@gmail.com>

To: "Olaf van der Spek" <olafvdspek@gmail.com>, 512037@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Fri, 16 Jan 2009 15:03:44 -0600

reassign 512037 php5-common
forcemerge 500168 512037
thanks

Hi,

2009/1/16 Olaf van der Spek <olafvdspek@gmail.com>:
> Hi,
>
> On Fri, Jan 16, 2009 at 8:19 PM, sean finney <seanius@debian.org> wrote:
>> i don't disagree that we should follow suit in deprecating it, and i'm
>> even supportive of the idea of preemptively deprecating it before 5.3.0
>> is out, though i'm not sure it warrants "important" severity...
>
> AFAIK the upstream default has been off for ages. The Debian default is on.
> That's why I made it important.

No, it hasn't and it isn't. Debian ships the pristine php.ini-dist
with only a small cleanup (removing windows bits and adding security
notices).

And please look for open bug reports before filing, thanks.

Regards,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Message #29 received at 512037@bugs.debian.org (full text, mbox, reply):

From: "Olaf van der Spek" <olafvdspek@gmail.com>

To: "Raphael Geissert" <atomo64+debian@gmail.com>

Cc: 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Fri, 16 Jan 2009 22:08:51 +0100

On Fri, Jan 16, 2009 at 10:03 PM, Raphael Geissert
<atomo64+debian@gmail.com> wrote:
> No, it hasn't and it isn't. Debian ships the pristine php.ini-dist

Ah, yes, PHP recommends A but defaults to B... :(

> And please look for open bug reports before filing, thanks.

I did, but not on the php5-common package.

Message #34 received at 512037@bugs.debian.org (full text, mbox, reply):

From: "Raphael Geissert" <atomo64+debian@gmail.com>

To: "Olaf van der Spek" <olafvdspek@gmail.com>

Cc: 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Fri, 16 Jan 2009 15:12:27 -0600

2009/1/16 Olaf van der Spek <olafvdspek@gmail.com>:
> On Fri, Jan 16, 2009 at 10:03 PM, Raphael Geissert
> <atomo64+debian@gmail.com> wrote:
>> No, it hasn't and it isn't. Debian ships the pristine php.ini-dist
>
> Ah, yes, PHP recommends A but defaults to B... :(

They discourage it, but don't disable it by default as not to break
zillions of b0rken scripts. Hopefully, php6 has no longer all those
senseless options.

>
>> And please look for open bug reports before filing, thanks.
>
> I did, but not on the php5-common package.
>

Hint: use src:php5, it will show you all the bugs reported against the
php5 source package and the packages it builds (php5-cli, php5-cgi,
etc).

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Natalie Wood  - "The only time a woman really succeeds in changing a
man is when he is a baby."

Message #39 received at 512037@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: pkg-php-maint@lists.alioth.debian.org, sean finney <seanius@debian.org>, 512037@bugs.debian.org

Cc: Olaf van der Spek <OlafvdSpek@gmail.com>

Subject: Re: [php-maint] Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Sat, 17 Jan 2009 13:44:06 +0100

[Message part 1 (text/plain, inline)]

On Friday 16 January 2009 20:19, sean finney wrote:
> i don't disagree that we should follow suit in deprecating it, and i'm
> even supportive of the idea of preemptively deprecating it before 5.3.0
> is out, though i'm not sure it warrants "important" severity...
>
> > http://nl3.php.net/magic_quotes
> >
> > > This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP
> > > 6.0.0. Relying on this feature is highly discouraged.
>
> > I don't think Debian should ship PHP with this feature enabled.
>
> i agree, though i would vote to wait until the dust settles with respect to
> changes for the sid/lenny stuff.

Yes, let's turn it off in Lenny, please. It will not affect existing installs 
so I don't see a reason not to change it.


Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #44 received at 512037@bugs.debian.org (full text, mbox, reply):

From: "Raphael Geissert" <atomo64+debian@gmail.com>

To: 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Sat, 17 Jan 2009 12:16:14 -0600

2009/1/17 Thijs Kinkhorst <thijs@debian.org>
[...]
>
> Yes, let's turn it off in Lenny, please. It will not affect existing installs
> so I don't see a reason not to change it.

Please don't suggest that, lenny is almost out and we haven't even be
able to get the other, actually important, issues sorted out. It's
already late for those changes IMO.

And as soon as PHP 5.3.0 hits unstable this bug will be automagically closed.

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

E. B. White  - "Genius is more often found in a cracked pot than in a
whole one."

Message #49 received at 512037@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Sat, 17 Jan 2009 20:19:08 +0100

[Message part 1 (text/plain, inline)]

On Saturday 17 January 2009 19:16, Raphael Geissert wrote:
> Please don't suggest that,

I don't see harm in merely suggesting things...?

> lenny is almost out and we haven't even be 
> able to get the other, actually important, issues sorted out. It's
> already late for those changes IMO.

I disagree. Code changes are of higher risk than changing the default of a 
setting. It's very well defined what the effect of changing the setting is, 
and we know for sure that it does not affect existing setups, contrary to 
code changes. Furthermore there has been lots of testing with this item Off, 
as it has been in the code for years and we're aware of many setups running 
Debian's PHP with that.

I therefore think it's not right to see this in the same light as code 
patches, rather, it's an easy switch to make.

Why I think we *should* do it before lenny:
- Well documented as being a bad function that destroys your input variables 
and gives a false sense of security;
- Already deprecated upstream. As this change will only affect new 
installations, I belive it is good to not get new setups started in an 
environment we know is going away soon.
- Changing it will not affect current installations.
- If you need it, you can of course turn it on.


cheers,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #54 received at 512037@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>, 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: Bug#512037: Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Sat, 17 Jan 2009 20:48:30 +0100

[Message part 1 (text/plain, inline)]

hi thijs,

On Sat, Jan 17, 2009 at 08:19:08PM +0100, Thijs Kinkhorst wrote:
> I disagree. Code changes are of higher risk than changing the default of a 
> setting. It's very well defined what the effect of changing the setting is, 

i guess it depends on scope.  within php itself, changing the setting one
way or the other isn't too dangerous, i agree. however, there may or may not be
applications that depend on the configuration's default (both packaged and
third-party), and i'd rather not find out at this point what breaks.

> Why I think we *should* do it before lenny:
> - Well documented as being a bad function that destroys your input variables 
> and gives a false sense of security;

sure, but to be honest i think that we're just too close to lenny and
there's too much other stuff going on...   i'm willing to yield to an
overwhelming majority of course, but this is how i feel.

> - Already deprecated upstream. As this change will only affect new 
> installations, I belive it is good to not get new setups started in an 
> environment we know is going away soon.

it's scheduled to be deprecated and still on by default in upstream
configs, as previously discussed.

> - Changing it will not affect current installations.

the change will go on by default in any installation that has the
default debian version of the ini files, and for the rest may or may
not result in a change depending on how the admin responds to the prompt,
so i would disagree there...


	sean

[signature.asc (application/pgp-signature, inline)]

Message #59 received at 512037@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "sean finney" <seanius@debian.org>

Cc: 512037@bugs.debian.org

Subject: Re: [php-maint] Bug#512037: Bug#512037: Bug#512037: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Tue, 20 Jan 2009 16:38:32 +0100 (CET)

On Sat, January 17, 2009 20:48, sean finney wrote:
> i guess it depends on scope.  within php itself, changing the setting one
>  way or the other isn't too dangerous, i agree. however, there may or may
> not be applications that depend on the configuration's default (both
> packaged and third-party), and i'd rather not find out at this point what
> breaks.

Ok, as there isn't much support of changing this now let's just wait for 5.3


Thijs

Message #64 received at 512037-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 512037-done@bugs.debian.org

Subject: Bug#512037: php5-cgi: magic_quotes_gpc = On

Date: Mon, 21 Sep 2009 21:18:09 -0500

Source: php5
Source-Version: 5.3.0-1

PHP 5.3 is already in experimental, and as such, this bug can be closed.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Send a report that this bug log contains spam.