Last modified: 2011-08-31 23:17:08 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4381 - Magic quotes cleaning is not comprehensive, key strings not unescaped
Magic quotes cleaning is not comprehensive, key strings not unescaped
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.5.x
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Edward Z. Yang
: patch, patch-reviewed
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-24 22:25 UTC by Edward Z. Yang
Modified: 2011-08-31 23:17 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Patch that fixes bug, based on comment in PHP manual (3.09 KB, patch)
2005-12-24 23:01 UTC, Edward Z. Yang
Details
Patch fixes bug, handles issues 1 and 2 completely (3.17 KB, patch)
2005-12-31 18:11 UTC, Edward Z. Yang
Details

Description Edward Z. Yang 2005-12-24 22:25:05 UTC
We all know that magic_quotes_gpc is quite evil, but most of us have made some
gpc cleaners and hope for the best. MediaWiki's GPC cleaner does not clean array
values correctly: it mishandles url arrays. For instance: submitting
value[key's] will be returned as value[key\'s].

This behavior is extensively documented at the PHP manual here:
http://us3.php.net/manual/en/function.get-magic-quotes-gpc.php

I understand magic_quotes compatibility is not of utmost concern because
MediaWiki is primarily an in-house application, and magic_quotes is probably
disabled on all your servers. Furthermore, MediaWiki rarely uses arrays in
posts, mitigating the problem further. However, for extension authors, this can
cause some hard to diagnose problems.

I'll be understanding if this is marked WONTFIX, and I'm working on a patch. Thanks.
Comment 1 Edward Z. Yang 2005-12-24 23:01:50 UTC
Created attachment 1233 [details]
Patch that fixes bug, based on comment in PHP manual

This patch, upon casual testing, fixes the bug. It was based on php at
kaiundina dot de's comment on the PHP manual at
http://us3.php.net/manual/en/function.get-magic-quotes-gpc.php
Comment 2 Ævar Arnfjörð Bjarmason 2005-12-27 19:04:23 UTC
(In reply to comment #1)
> Created an attachment (id=1233) [edit]
> Patch that fixes bug, based on comment in PHP manual

1. Use version_compare() to compare php versions, it's much more reliable
2. Use tabs not spaces for indenting
3. Did you concact the author for permission to use the code? Just because
something is in a php manual comment doesn't mean we have permission to publish
it under the GPL
Comment 3 Edward Z. Yang 2005-12-27 23:57:16 UTC
(In reply to comment #2)
> 1. Use version_compare() to compare php versions, it's much more reliable
> 2. Use tabs not spaces for indenting

I'll fix that in the patch.

> 3. Did you concact the author for permission to use the code? Just because
> something is in a php manual comment doesn't mean we have permission to publish
> it under the GPL

According to the comment posting guidelines:

> This means that any note submitted here becomes the property of the PHP
Documentation Group.

I believe this means they are covered under the copyright license here:
http://us3.php.net/manual/en/copyright.php which states the manual is under the
Open Publication License. This license is largely compatible with GNU GPL (see
http://www.gnu.org/licenses/license-list.html ) as long as Section VI is not
invoked. However, according to their copyright page, these sections are being
invoked, and so I'm not really sure what is going on.

I'm not even sure if it would be possible to rewrite the functions: they're
pretty compact and if you use the information kaiundina offered, you're bound to
get the same implementation.

I'll handle the other two issues and submit another revision of the patch.
Comment 4 Edward Z. Yang 2005-12-31 18:11:36 UTC
Created attachment 1252 [details]
Patch fixes bug, handles issues 1 and 2 completely

New patch, handles issues one and two, and sort of handles three, if variable
renaming can be considered not using the code.
Comment 5 Edward Z. Yang 2006-01-02 03:51:48 UTC
Okay. I have come to the conclusion that, essentially, the two clauses that make
the Open Publication License incompatible with GFDL apply *only* to the
documents not code, and therefore, can be ignored when dealing with code
snippets, making the license COMPATIBLE with the GFDL. However, the nebulousness
of the Open Document to Open Code bridge makes things, to say the least,
interesting.

I sent an email to the webmaster of the PHP website and the creator of the code
snippet. Here are the relevant snippets of their emails:

Gabor Hojtsy wrote:
> As our note submission page states, the notes are considered property of
> the documentation group (this only means that we are not crediting
> submitters whose notes are integrated into the manual). All submitted
> notes are under the same license as the manual for the very same reason.
> Whether our license is GPL compatible is a good question. You can look
> for some analysis on the net. Since the documentation is licensed as
> content, not as source code, it is not really straigforward to compare
> the documentation license with the GPL.

Kai Giebeler wrote:
> Feel free to use the code in your project wherever you like.

This is a bit too mind boggling. Do you suppose there is any possible way to
rewrite the entire thing so we can bypass this copyright catastrophe? Also, is
this code snippet copyrightable? This sort of code is given in the context that
you take it and build upon it without regard to source (like Public Domain).
And, of course, Does anyone really care?

Which is why I'm willing to rewrite the whole thing in order to dodge these
thorny licensing issues. If only I knew *how*.
Comment 6 Niklas Laxström 2009-02-28 17:10:22 UTC
Patch is outdated. Does the current version of MediaWiki have any problems with unescaping?
Comment 7 Edward Z. Yang 2009-02-28 20:53:15 UTC
It probably still does, but at this point, I don't care about the patch anymore, and would be happy to see this as a WONTFIX.
Comment 8 p858snake 2011-04-30 00:09:30 UTC
*Bulk BZ Change: +Patch to open bugs with patches attached that are missing the keyword*
Comment 9 John Du Hart 2011-08-31 23:17:08 UTC
Fixed in r95921

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links