Joomla 3 magic_quotes_gpc = Off Requirement

[Nick Savov]

Hi everyone,

Joomla 3 is looking great!  Great job to everyone!

One concern that I have is the requirement of magic_quotes_gpc to Off during installation.  If you have a flexible host and they allow you to modify or override the php.ini, everything's OK (after a bit of work to make the code changes).  However, if you don't have a flexible host you might be stuck or have to migrate hosts.  Additionally, what happens when some of the 2.5 users start upgrading to 3.0?  We currently do not have a pre-upgrade check for magic_quotes_gpc = Off, so that would result in strange bugs.

In Joomla 2.5, magic_quotes_gpc to Off was not a requirement, but rather just a recommendation. In Joomla 3, it is a requirement.  I recommend that we make magic_quotes_gpc = Off a recommendation (rather than a requirement) for Joomla 3.

The con to making it a recommendation (rather than a requirement):
1) Those sites with magic_quotes_gpc = On, wouldn't run as fast as they would if it was Off.

The Pros to making it a recommendation (rather than a requirement):
1) Those sites with magic_quotes_gpc = On, would be able to use Joomla 3.

To me, the pro definitely outweighs the con.  Also, if they wanted to, they could go through the work of turning off magic_quotes_gpc (it just wouldn't be a requirement).

In short, it's a win/win situation for everyone if magic_quotes_gpc to Off was not a requirement, but rather just a recommendation.

If we decided to go that route, basically it would involve unescpaing all input data before we start to handle the request.

Kind regards,
Nick

[infograf768]

Indeed.
In fact, with the experience we have of the very slooooow move from most hosts to propose php 5 in the past years, we do know that it will take much time to gets hosts setting magic_quotes_gpc = Off. (Even Rochen does not do it on its shared servers)

We already have difficulties to get the the maority of our users to move from 1.5 to 2.5.
It is not the time IMHO to release an 3.x reserved to a few.

As far as I understand this requires some code change that could be done in CMS only

Regards
JM

[Amy Stephen]

Magic quotes is deprecated in PHP 5.3 and scheduled for removal in 5.4. IMO, it was a well intentioned, but bad idea that should be removed from PHP. It's best for the platform to manage escaping, rather than to rely upon (or have to discover and then undo) another "dumb" process for such an important function.

Couple of good resources:

• http://php.net/manual/en/security.magicquotes.php
• http://en.wikipedia.org/wiki/Magic_quotes

Not even sure this should be an installation check for the CMS, though, since the php.ini setting is automatically disabled during startup, even in the current release.

https://github.com/joomla/joomla-cms/blob/master/includes/framework.php#L11

Might be as simple as removing the check.

Might be better to discuss on the Platform list.

[Nick Savov]

Hi Amy,

Thanks for your thoughts on the matter!

Re:
https://github.com/joomla/joomla-cms/blob/master/includes/framework.php#L11

Looks like the code is checking for magic_quotes_runtime rather than
magic_quotes_gpc and that the two are different. If I try installing
Joomla 3 on our Rochen server, I can't get past the pre-install check
because magic_quotes_gpc = On, so the code:
@ini_set('magic_quotes_runtime', 0);

must not have an affect on magic_quotes_gpc.

As to PHP versions, Joomla 3 will still be supporting PHP 5.3.1+:
http://www.joomla.org/technical-requirements.html

so this is still an issue, IMO. At the very least, we need a pre-upgrade
check when users go from Joomla 2.5.x to Joomla 3.

What are your thoughts based on the above information?

Kind regards,
Nick

> Magic quotes is deprecated in PHP 5.3 and scheduled for removal in 5.4.
> IMO, it was a well intentioned, but bad idea that should be removed from
> PHP. It's best for the platform to manage escaping, rather than to rely
> upon (or have to discover and then undo) another "dumb" process for such
> an
> important function.
>
> Couple of good resources:
>

> - http://php.net/manual/en/security.magicquotes.php
> - http://en.wikipedia.org/wiki/Magic_quotes

> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To view this discussion on the web, visit
> https://groups.google.com/d/msg/joomla-dev-cms/-/5GTURweINJIJ.
> To post to this group, send an email to joomla-...@googlegroups.com.
> To unsubscribe from this group, send email to
> joomla-dev-cm...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
>
>

[Amy Stephen]

I would ask on the platform list if either the current 'runtime' is enough, or if 'gpc' can also be disabled and if disabling both would then effectively remove the need for the CMS to check the magic quotes configuration during install.

The platform is doing the escaping and my gut feel is they aren't going to want to add 'antiquated' magic quote text to the new JInput class. 

The CMS controls the boot sequence files (that I linked to) and very recently took control of the installation process - so if the platform team concurs, you might be able to bi-pass the install step due to what is there or, as you have pointed out, adding the gpc disable.

That would be ideal. But, it would be important to ask about this on the platform list since I am not certain and they are the ones to advise on this.

[Amy Stephen]

On Fri, Aug 10, 2012 at 3:06 PM, Amy Stephen <amyst...@gmail.com> wrote:

the platform team concurs, you might be able to bi-pass the install step

Meaning => you might be able to bypass the installer check for magic quotes.

In case that was confusing.

[Nick Savov]

Sounds good. Thank you, Amy! I'll write up something in the platform
list later today.

Kind regards,
Nick

[Amy Stephen]

Nick -

You are right, that line I pointed to during system bootup will not take care of this issue. magic_quotes_gpc must be handled at a system level. Here's a better reference on the gpc magic quotes http://www.php.net/manual/en/security.magicquotes.disabling.php

Maybe the platform will continue support for assuming this php directive is turned on (like example 2 on the link above.) Seems a shame to run all traffic through that logic to turn off what should have never been activated to begin with, it does penalize those sites using better hosts.

Or, maybe the CMS can add a system plugin that can be activated for such sites to disable the option? Not sure if an event fires at the right time, tho. Maybe the platform would add one if they don't want to add the escaping logic back?

If the installation requirement remains, the problem could be addressed by providing information to those who need it. Perhaps a little asterisk by the failed install option linking to a Wiki document that explains how to deactivate this option if ones host is forcing it on. example from Godaddy - http://support.godaddy.com/groups/web-hosting/forum/topic/how-to-turn-off-magic_quotes_gpc/?pc_split_value=4

Good luck!

On Friday, August 10, 2012 12:26:45 PM UTC-5, Nick Savov wrote:

[Beat]

Hi Nick,

Hi Jean-Marie,

I agree with you. Very good points.

Adding one more little vote for making GPC off NOT a requirement, but just a recommendation.

Why imho:

1) we want to spread Joomla as broad as possible, and thus user's mandatory hosting hassles should be kept as low as possible

2) the extra-cost to sites with GPC OFF is only a single "if" line statement, that is executed once when _REQUEST is parsed, so virtually nothing compared to rest of Joomla's heavy code.

3) a lot of people will migrate from 1.5 directly to 3.x, usually into a sub-folder, and having the requirement for a separate hosting setup is not really friendly.

Best Regards,

Beat

http://www.joomlapolis.com/

[Amy Stephen]

Beat -

Do you know where that single IF statement is? (Link please?)

Thanks,
Amy

[Marc Studer]

Hello,

I confirm. This pre-check blocks under MacOS MAMP.

I have try to set a php.ini with the "magic_quotes_gpc on" and "magic_quotes_runtime on"
and with a .htaccess with "php_flag magic_quotes_gpc on"

But it doesn't seems to work.

I will test harder ... but if a solution (like an hack on the famous "if" statment ( where ?)) can help, thank you.

[Rouven Weßling]

Uh, magic_quotes_gpc has to be off not on.

Rouven

> --
> You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

> To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/Rz1hsu1QgyEJ.

[Marc Studer]

Hello,

LOL …. oops, thank you Rouven, i have read this topic... hum, but it seems that i won't be enough concentrate, i have replace Off by On in all my tests (oops) without really thinking about the meaning !

So, i correct my test, by just renaming the htaccess.txt by .htaccess and add the following command line at top of my .htaccess before launching Joomla installation, it works ok on MacOS MAMP :

php_flag magic_quotes_gpc off

Thank you for the help ;)

Now the question is (as it has been said earlier in this topic) : 

- does this pre-check will be maintain as we know that several hosters force the value at "On" ?

Kind regards

Marc

[Nick Savov]

Since I'm seeing a consensus, I've opened up a bug report for the issue:

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=29129

[Mario]

Be aware that turning magic_quotes_gpc to off for 3.0+ installation to be successful won't solve your problems. 

Changing the .htaccess file and placing it in in your installation directory, will allow the successful installation only but you'll find, later on, if your server is using php 5.3+, that it won't work and you'll get a bunch of bugs all over the place. with slashes ( \ ) being overloaded every time you save data that should quoted to the database. 

For instance, your script saves the data "The President's dog" and when you retrieve it from your db, it will be rendered as "The President\'s dog". Now save it again and again and you start getting "The President\\\\\\\\'s dog". Unless you place the similar .htaccess file in every directory, which is unthinkable, you'll find that you really have to change the server's php configuration and there turn magic_quotes_gpc to off.   

Severs running php 5.3+ should, by default have magic_quotes_gpc = off since, as it was mention above, the function is deprecated and scheduled for removal on php 5.4.

Mario

On Tuesday, November 13, 2012 3:34:14 PM UTC, Kakrona Chan wrote:

Hey guys!

Do you guys have any idea how to turn margic_quotes_gpc = off? I face this problem: https://picasaweb.google.com/lh/photo/0It6uGg-6kXO5xUQRMKsf9MTjNZETYmyPJy0liipFm0?feat=directlink

I try creating php.ini but it still doesn't work

[Nick Savov]

Hi Kakrona,

Sorry, but this list is for Joomla Core CMS developers and discussion of
how to improve the CMS. If you're still having the issue, you should
instead ask on the Joomla forum. Here's the direct link to it:
forum.joomla.org/

After posting on there, reply to this email with a link to the forum post
so that we can follow up and help you out on there.

Looking forward to helping.

Kind regards,
Nick

> Hey guys!
>
> Do you guys have any idea how to turn margic_quotes_gpc = off? I face this
> problem:
> https://picasaweb.google.com/lh/photo/0It6uGg-6kXO5xUQRMKsf9MTjNZETYmyPJy0liipFm0?feat=directlink
>
> I try creating php.ini but it still doesn't work
>

> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To view this discussion on the web, visit

> https://groups.google.com/d/msg/joomla-dev-cms/-/MaRMmIsqO2oJ.