[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature

Fritz Zaucker zaucker@ee.ethz.ch
Fri, 3 Aug 2001 22:06:18 +0200 (MET DST)


On Fri, 3 Aug 2001, Rich Lafferty wrote:

> On Fri, Aug 03, 2001 at 06:43:56PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:

> > This behaviour can be verified on the IMP demo site at
> > https://demo.horde.org/stable/horde/imp/
> >
> > If a backslash is used in Preferences/Signature the backslash is
> > "escaped" with a second backslash upon saving the Preferences.
> >
> > This is done by the call to addslashes() in the file
> > horde/imp/prefs.php3 in line 69:
> >
> >  if (!(imp_set_signature(addslashes($signature), $imp->user, $imp->server))) {
> >
> > If addslashes() is removed from that line, no second backslash is added.
> >
> > The question is if this is save to do there?

> No, it's not, else you're letting people type SQL into their
> signature. But I can't duplicate that here; what's the setting of
> magic_quotes_gpc there?

test.php3?mode=phpinfo says:

       magic_quotes_gpc       Off  Off
       magic_quotes_runtime   Off  Off
       magic_quotes_sybase    Off  Off

> (Er, we might wish to fix that on demo.horde.org, too, whoever's
> maintaining that right now :-)

Perhaps there is something fundamentally wrong? According to the PHP
manual http://www.php.net/manual/en/function.addslashes.php
addslashes() DOES escape backslashes.

According to the comments on this man page (jlp on 16-Aug-2000 05:54):

    Note that the escaping style used by addslashes depends on the
    configuration variable magic_quotes_sybase-- even if
    magic_quotes_gpc and magic_quotes_runtime are disabled.

His example shows that if magic_quotes_sybase is 0 backslashes are
escaped, if it is set to 1 they are not. But this variable also
changes the escaping of ' and ", so it is not clear to me what would
be required here.

Rich, I assume you have magic_quotes_sybase On on your system and it
is Off on demo.horde.org (as it is here on my system).

Perhaps the cleanest solution would be to set this variable
explicitely where a certain behaviours is needed.

Fritz

-- 
Dr. Fritz Zaucker, Head IT Support Group
Department of Electrical Engineering,  Federal Institute of Technology
ETZ J97, Gloriastrasse 35, CH-8092 Zurich, Switzerland
Tel.: +41-1-632-5241 Fax: +41-1-632-1194 http://people.ee.ethz.ch/~zaucker/
E-mail: zaucker@ee.ethz.ch (see home page for PGP key)