FAQ
Edit report at http://pear.php.net/bugs/bug.php?id=16727&edit=1

ID: 16727
Updated by: l.alberton@quipo.it
Reported By: tom at sirtomprice dot com
Summary: MDB2 Quote Fetches URLs
-Status: Feedback
+Status: Closed
Type: Bug
Package: MDB2
Operating System: Windows XP
Package Version: 2.5.0b2
PHP Version: 5.2.5
Assigned To: quipo
Roadmap Versions:
New Comment:

-Status: Feedback
+Status: Closed
This bug has been fixed in SVN.

If this was a documentation problem, the fix will appear on
pear.php.net by the end of next Sunday (CET).

If this was a problem with the pear.php.net website, the change should
be live shortly.

Otherwise, the fix will appear in the package's next release.

Thank you for the report and for helping us make PEAR better.




Previous Comments:
------------------------------------------------------------------------

[2009-10-28 16:25:07] kingtom

Hi - thanks for looking into this.

We're using 2.5.0b2 and it seems to be true by default on this. Not
sure how to try the files in SVN?

------------------------------------------------------------------------

[2009-10-22 17:46:07] quipo

-Status: Closed
+Status: Feedback
it *is* false by default... I can't try now, I don't have access to my
dev machine.
Would you mind trying the files in SVN, and see if it's fixed there?
Thanks!

------------------------------------------------------------------------

[2009-10-22 17:23:15] kingtom

$mdb2->setOption('lob_allow_url_include', false); ??? still exhibits
the same behaviour for me...

Surely it should be set to false by default though, because it's a huge
security hole... if you pass user input in, then they can access any
file on the server - file:///etc/passwd and so on

Am I missing something? :)

------------------------------------------------------------------------

[2009-10-22 17:05:44] quipo

-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: quipo
Make sure the 'lob_allow_url_include' options is set to false

------------------------------------------------------------------------

[2009-10-22 16:50:11] kingtom

Description:
------------
When passing a URL as the first parameter to $mdb2->quote, and 'clob'
as the second parameter, it actually fetches the URL.

Test script:
---------------
print $mdb2->quote("http://www.bbc.co.uk", "clob");

Expected result:
----------------
It should print 'http://www.bbc.co.uk'

Actual result:
--------------
It prints the source of http://www.bbc.co.uk

------------------------------------------------------------------------

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppear-bugs @
categoriesphp
postedDec 27, '09 at 11:39p
activeDec 27, '09 at 11:39p
posts1
users1
websitepear.php.net

1 user in discussion

L Alberton: 1 post

People

Translate

site design / logo © 2022 Grokbase