[Tickets #2826] NEW: Password is set wrong because of addslashes/magic_quotes_gpc

bugs@bugs.horde.org bugs at bugs.horde.org
Fri Oct 21 12:07:45 PDT 2005 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=2826
-----------------------------------------------------------------------
 Ticket             | 2826
 Created By         | jonathan at gretchen.dyndns.info
 Summary            | Password is set wrong because of addslashes/magic_quotes_gpc
 Queue              | Horde Base
 Version            | 3.0.4
 State              | Unconfirmed
 Priority           | 3. High
 Type               | Bug
 Owners             | 
-----------------------------------------------------------------------


jonathan at gretchen.dyndns.info (2005-10-21 12:07) wrote:

i use horde3 with imp4 with imap. in horde i use 'basic auth' as
authentication. My password contains characters which are quoted by php.
>From manual this is the default behavior [1]. But if horde uses these
credentials for imp to log to an imap-server, the password is wrong, because
of to much '\'. So i think you have to check with get_magic_quotes_gpc(), if
an stripslash is necessary or not.

file lib/Horde/Auth/http.php,in function transparent()

my function look like this:
    function transparent()
    {
        if (!empty($_SERVER['PHP_AUTH_USER']) &&
            !empty($_SERVER['PHP_AUTH_PW'])) {

            if (get_magic_quotes_gpc()){
                $this->setAuth($_SERVER['PHP_AUTH_USER'],
                           array('password' =>
stripslashes($_SERVER['PHP_AUTH_PW']),
                                 'transparent' => 1));
            } else {
                $this->setAuth($_SERVER['PHP_AUTH_USER'],
                           array('password' => $_SERVER['PHP_AUTH_PW'],
                                 'transparent' => 1));
            }
            return true;
        }

        $this->_setAuthError(AUTH_REASON_MESSAGE, _("HTTP Authentication not
found."));
        return false;
    }


[1] http://php.speedbone.de/manual/en/function.addslashes.php
 The PHP directive  magic_quotes_gpc is on by default, and it essentially
runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes()
on strings that have already been escaped with magic_quotes_gpc as you'll
then do double escaping. The function get_magic_quotes_gpc() may come in
handy for checking this.

More information about the bugs mailing list