[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature

Rich Lafferty rich@horde.org
Fri, 3 Aug 2001 13:21:10 -0400


On Fri, Aug 03, 2001 at 06:43:56PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:
> This behaviour can be verified on the IMP demo site at
> https://demo.horde.org/stable/horde/imp/
> 
> If a backslash is used in Preferences/Signature the backslash is
> "escaped" with a second backslash upon saving the Preferences.
> 
> This is done by the call to addslashes() in the file
> horde/imp/prefs.php3 in line 69:
> 
>  if (!(imp_set_signature(addslashes($signature), $imp->user, $imp->server))) {
> 
> If addslashes() is removed from that line, no second backslash is added.
> 
> The question is if this is save to do there?

No, it's not, else you're letting people type SQL into their
signature. But I can't duplicate that here; what's the setting of
magic_quotes_gpc there?

(Er, we might wish to fix that on demo.horde.org, too, whoever's
maintaining that right now :-)

  -Rich 

-- 
Rich Lafferty --------------+-----------------------------------------------
 Montreal, Quebec, Canada   |  Save the Pacific Northwest Tree Octopus!
 http://www.lafferty.ca/    |    http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------