FAQ
Edit report at http://pear.php.net/bugs/bug.php?id=16727&edit=1

ID: 16727
Updated by: l.alberton@quipo.it
Reported By: tom at sirtomprice dot com
Summary: MDB2 Quote Fetches URLs
-Status: Open
+Status: Closed
Type: Bug
Package: MDB2
Operating System: Windows XP
Package Version: 2.5.0b2
PHP Version: 5.2.5
-Assigned To:
+Assigned To: quipo
Roadmap Versions:
New Comment:

-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: quipo
Make sure the 'lob_allow_url_include' options is set to false


Previous Comments:
------------------------------------------------------------------------

[2009-10-22 16:50:11] kingtom

Description:
------------
When passing a URL as the first parameter to $mdb2->quote, and 'clob'
as the second parameter, it actually fetches the URL.

Test script:
---------------
print $mdb2->quote("http://www.bbc.co.uk", "clob");

Expected result:
----------------
It should print 'http://www.bbc.co.uk'

Actual result:
--------------
It prints the source of http://www.bbc.co.uk

------------------------------------------------------------------------

Search Discussions

  • Tom at Oct 22, 2009 at 3:23 pm
    Edit report at http://pear.php.net/bugs/bug.php?id=16727&edit=1

    ID: 16727
    Updated by: tom@sirtomprice.com
    Reported By: tom at sirtomprice dot com
    Summary: MDB2 Quote Fetches URLs
    Status: Closed
    Type: Bug
    Package: MDB2
    Operating System: Windows XP
    Package Version: 2.5.0b2
    PHP Version: 5.2.5
    Assigned To: quipo
    Roadmap Versions:
    New Comment:

    $mdb2->setOption('lob_allow_url_include', false); ??? still exhibits
    the same behaviour for me...

    Surely it should be set to false by default though, because it's a huge
    security hole... if you pass user input in, then they can access any
    file on the server - file:///etc/passwd and so on

    Am I missing something? :)


    Previous Comments:
    ------------------------------------------------------------------------

    [2009-10-22 17:05:44] quipo

    -Status: Open
    +Status: Closed
    -Assigned To:
    +Assigned To: quipo
    Make sure the 'lob_allow_url_include' options is set to false

    ------------------------------------------------------------------------

    [2009-10-22 16:50:11] kingtom

    Description:
    ------------
    When passing a URL as the first parameter to $mdb2->quote, and 'clob'
    as the second parameter, it actually fetches the URL.

    Test script:
    ---------------
    print $mdb2->quote("http://www.bbc.co.uk", "clob");

    Expected result:
    ----------------
    It should print 'http://www.bbc.co.uk'

    Actual result:
    --------------
    It prints the source of http://www.bbc.co.uk

    ------------------------------------------------------------------------
  • L Alberton at Oct 22, 2009 at 3:46 pm
    Edit report at http://pear.php.net/bugs/bug.php?id=16727&edit=1

    ID: 16727
    Updated by: l.alberton@quipo.it
    Reported By: tom at sirtomprice dot com
    Summary: MDB2 Quote Fetches URLs
    -Status: Closed
    +Status: Feedback
    Type: Bug
    Package: MDB2
    Operating System: Windows XP
    Package Version: 2.5.0b2
    PHP Version: 5.2.5
    Assigned To: quipo
    Roadmap Versions:
    New Comment:

    -Status: Closed
    +Status: Feedback
    it *is* false by default... I can't try now, I don't have access to my
    dev machine.
    Would you mind trying the files in SVN, and see if it's fixed there?
    Thanks!


    Previous Comments:
    ------------------------------------------------------------------------

    [2009-10-22 17:23:15] kingtom

    $mdb2->setOption('lob_allow_url_include', false); ??? still exhibits
    the same behaviour for me...

    Surely it should be set to false by default though, because it's a huge
    security hole... if you pass user input in, then they can access any
    file on the server - file:///etc/passwd and so on

    Am I missing something? :)

    ------------------------------------------------------------------------

    [2009-10-22 17:05:44] quipo

    -Status: Open
    +Status: Closed
    -Assigned To:
    +Assigned To: quipo
    Make sure the 'lob_allow_url_include' options is set to false

    ------------------------------------------------------------------------

    [2009-10-22 16:50:11] kingtom

    Description:
    ------------
    When passing a URL as the first parameter to $mdb2->quote, and 'clob'
    as the second parameter, it actually fetches the URL.

    Test script:
    ---------------
    print $mdb2->quote("http://www.bbc.co.uk", "clob");

    Expected result:
    ----------------
    It should print 'http://www.bbc.co.uk'

    Actual result:
    --------------
    It prints the source of http://www.bbc.co.uk

    ------------------------------------------------------------------------
  • Tom at Oct 28, 2009 at 3:25 pm
    Edit report at http://pear.php.net/bugs/bug.php?id=16727&edit=1

    ID: 16727
    Updated by: tom@sirtomprice.com
    Reported By: tom at sirtomprice dot com
    Summary: MDB2 Quote Fetches URLs
    Status: Feedback
    Type: Bug
    Package: MDB2
    Operating System: Windows XP
    Package Version: 2.5.0b2
    PHP Version: 5.2.5
    Assigned To: quipo
    Roadmap Versions:
    New Comment:

    Hi - thanks for looking into this.

    We're using 2.5.0b2 and it seems to be true by default on this. Not
    sure how to try the files in SVN?


    Previous Comments:
    ------------------------------------------------------------------------

    [2009-10-22 17:46:07] quipo

    -Status: Closed
    +Status: Feedback
    it *is* false by default... I can't try now, I don't have access to my
    dev machine.
    Would you mind trying the files in SVN, and see if it's fixed there?
    Thanks!

    ------------------------------------------------------------------------

    [2009-10-22 17:23:15] kingtom

    $mdb2->setOption('lob_allow_url_include', false); ??? still exhibits
    the same behaviour for me...

    Surely it should be set to false by default though, because it's a huge
    security hole... if you pass user input in, then they can access any
    file on the server - file:///etc/passwd and so on

    Am I missing something? :)

    ------------------------------------------------------------------------

    [2009-10-22 17:05:44] quipo

    -Status: Open
    +Status: Closed
    -Assigned To:
    +Assigned To: quipo
    Make sure the 'lob_allow_url_include' options is set to false

    ------------------------------------------------------------------------

    [2009-10-22 16:50:11] kingtom

    Description:
    ------------
    When passing a URL as the first parameter to $mdb2->quote, and 'clob'
    as the second parameter, it actually fetches the URL.

    Test script:
    ---------------
    print $mdb2->quote("http://www.bbc.co.uk", "clob");

    Expected result:
    ----------------
    It should print 'http://www.bbc.co.uk'

    Actual result:
    --------------
    It prints the source of http://www.bbc.co.uk

    ------------------------------------------------------------------------

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppear-bugs @
categoriesphp
postedOct 22, '09 at 3:06p
activeOct 28, '09 at 3:25p
posts4
users2
websitepear.php.net

2 users in discussion

Tom: 2 posts L Alberton: 2 posts

People

Translate

site design / logo © 2022 Grokbase