Magic Quotes Research Help Needed

[elin]

Hi,

As many people know we do have a magic quotes challenge with J3 which is that the platform (especially JInput and JRequest) requires them to be off. Since part of the point of a major release is to update to the newest platform overriding or doing something else like that seems self-defeating.    

So, we know that some hosts force MQ on and we can all hope that this release encourages them to change this practice. But in the meantime for people providing support in the forums this is going to be somewhat of a nightmare, although helped by the fact that people won't get update notices by default since it is a STS release. 

Nonetheless, I think it would help everyone who tries to help users if we had a list of hosts with known magic quote issues that we could check against when someone reports having //////' saved in their articles.

In some cases we have contact people at specific hosts who we might be able to talk to about this, but in the meantime let's at least make it easier for people helping in the forums.

So, if you do know of such a host, would you please add it to the list here:

https://docs.google.com/spreadsheet/viewform?formkey=dEtVUmNjeTBUTUJLQi1WUlR2UnFRQ1E6MQ

Thanks as always,

Elin 

[Nick Savov]

I would rather we remove the requirement. What's best for the platform is
not necessarily best for our users.

I've opened up a tracker for it at:
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=29129

Kind regards,
Nick

> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To view this discussion on the web, visit
> https://groups.google.com/d/msg/joomla-dev-cms/-/CPMFq5lauTQJ.
> To post to this group, send an email to joomla-...@googlegroups.com.
> To unsubscribe from this group, send email to
> joomla-dev-cm...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
>
>

[elin]

Do you understand that people would be saving broken text if we just didn't check? 

Have you prepared a patch to override JInput and JRequest?

[Nick Savov]

1) Please see my bug report. I mention in there that a patch for it would
need to unescape all input data before we start to handle the request.

2) If I had a patch, wouldn't I have posted it in the bug tracker item
already? I don't think it's fair to call me out for not preparing a patch
when I don't know how to. Currently, all I'm able to do is report the
issue, so that's what I've done.

Kind regards,
Nick

>> joomla-...@googlegroups.com<javascript:>.

>>
>> > To unsubscribe from this group, send email to

>> > joomla-dev-cm...@googlegroups.com <javascript:>.

>> > For more options, visit this group at
>> > http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
>> >
>> >
>>
>

> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To view this discussion on the web, visit

> https://groups.google.com/d/msg/joomla-dev-cms/-/bDEPGX6oA24J.

[Nick Savov]

p.s. Some bug squad members are having issues turning off magic quotes
gpc. If bug squad members are having issues, imagine what a beginner
would feel like.

Also, keep in mind that there is currently no pre-upgrade check for magic
quotes gpc from 2.5 to 3.0.

[elin]

Exactly, we need to make sure to check and make sure they do not successfully install.  They need to either get support from tehir hosts or they need to install 2.5 which is what we're suggesting anyway.

IF you have a patch to provide a compatibility layer  post it and people will test during the PBF, in the mean time we need to deal with the current state of the codebase.

Elin

[Mark Dexter]

Magic quotes has been deprecated in PHP 5.3 and removed in PHP 5.4.
The PHP folks are being about as clear as they can be that this
feature is on the way out. Given this, is it a good idea for Joomla to
continue supporting it for our latest version 3.0?

Please bear in mind that Joomla 3.0 is NOT for everyone, especially
people with hosts who are years behind with their software versions.
People will have 1.5 to 2 years to move to version Joomla 3.5.
Hopefully this will give peoples' hosts time to get up to date.

Mark

> https://groups.google.com/d/msg/joomla-dev-cms/-/KHIyF9AQ7MUJ.

[Nick Savov]

A pre-install check is one option. The other option is what I suggested,
which I think will be a smoother experience for Joomla's users, especially
beginners.

What's the so bad about fix this issue, rather than leaving it and
creating documentation for the many hosts out there and their unique
setups? Why is there so much resistance? Do you see any cons in what I
proposed other than the fact that there isn't yet a patch?

By the way, Rouven did say a while back that he would post a patch for it
as soon as he had time.

Kind regards,
Nick

> https://groups.google.com/d/msg/joomla-dev-cms/-/KHIyF9AQ7MUJ.

[Mark Dexter]

If there is an easy fix that is forward compatible to 5.4, that's
great. Let's get it in. Do we know all of the issues that will come up
using the platform with magic quotes on? I would guess not, and so we
don't know how much time this will take to resolve and support. Every
hour we spend on this is an hour not spent on other bugs and features.

I think the "resistance" is how much time we want to spend supporting
a feature that has been deprecated and is being eliminated.

Mark

[Rouven Weßling]

On 14.09.2012, at 22:46, Nick Savov <ni...@iowawebcompany.com> wrote:

By the way, Rouven did say a while back that he would post a patch for it
as soon as he had time.

I said I'd look into it and that I did.

There are several snippets to remove the slashes in the comments in the PHP documentation (for example here http://php.net/manual/en/function.get-magic-quotes-gpc.php) and I tested a couple of them. On same casual testing they were successful in removing the extra slashes. However I'm rather uncomfortable with the side effects. Other libraries (phpmailer for starters) also detect magic quotes to work around them. However what we'd create is a state where magic_quotes_gpc is on - but the data isn't escaped. Personally I'm not comfortable doing this since this has both security (a library may not properly escape some data because it should be already handled by magic_quotes_gpc) and data integrity (removing slashes that are part of the input data) issues.

I think this is a place where evangelism is the better option. If this is desired I'd volunteer to contact the dozen or so biggest hosters in my country (Germany) after the release and inform them of the updated system requirements - if possible on behalf of Joomla/OSM. If other would do the same for their country we may be able to at least get into a place where hosters are prepared for the support requests.

Best regards

Rouven

[Mark Dexter]

This seems like a significant risk to me. I don't think it's worth
incurring potential security issues to support a deprecated,
soon-to-be-eliminated feature that most PHP experts say was a mistake
to begin with.

I agree that working with hosts seems to be a better way to go. And we
have time for hosts to get up to speed.

In the meantime, we could start a list of hosts in the wiki with
whether or not they are compatible with Joomla 3.0. That might be a
way to spur them on.

Mark

> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.

[Nick Savov]

Alright, I'm in. Let's start preparing the documentation.

I'll close that bug report and open up another one for a pre-upgrade check
for magic quote gpc to Off for 2.5 to 3.0. I remember seeing one by
Michael for a PHP check, so we might be able to couple it with that one.

Thank you Elin, Mark, and Rouven!

Kind regards,
Nick

> This seems like a significant risk to me. I don't think it's worth
> incurring potential security issues to support a deprecated,
> soon-to-be-eliminated feature that most PHP experts say was a mistake
> to begin with.
>
> I agree that working with hosts seems to be a better way to go. And we
> have time for hosts to get up to speed.
>
> In the meantime, we could start a list of hosts in the wiki with
> whether or not they are compatible with Joomla 3.0. That might be a
> way to spur them on.
>
> Mark
>

> On Fri, Sep 14, 2012 at 2:03 PM, Rouven We�ling <m...@rouvenwessling.de>

[brian teeman]

FYI I had an issue with a host where they didnt explicitly state on or off for magic_quotes and the installer failed on that 
But they fixed it within seconds of it being reported

On Friday, 14 September 2012 22:16:03 UTC+1, Nick Savov wrote:

Alright, I'm in.  Let's start preparing the documentation.

I'll close that bug report and open up another one for a pre-upgrade check
for magic quote gpc to Off for 2.5 to 3.0.  I remember seeing one by
Michael for a PHP check, so we might be able to couple it with that one.

Thank you Elin, Mark, and Rouven!

Kind regards,
Nick

> This seems like a significant risk to me. I don't think it's worth
> incurring potential security issues to support a deprecated,
> soon-to-be-eliminated feature that most PHP experts say was a mistake
> to begin with.
>
> I agree that working with hosts seems to be a better way to go. And we
> have time for hosts to get up to speed.
>
> In the meantime, we could start a list of hosts in the wiki with
> whether or not they are compatible with Joomla 3.0. That might be a
> way to spur them on.
>
> Mark
>

> On Fri, Sep 14, 2012 at 2:03 PM, Rouven We�ling <m...@rouvenwessling.de>

[Michael Babker]

FYI, that upgrade check won't execute early enough in the process to block
the upgrade the way everything is processed if you're using the update
component (I need to re-test installing the package via the extension
manager to see what happens). Hence the reason I released a stand-alone
app to tell users this info (https://github.com/mbabker/J30UpgradeCheck,
shared on the Bug Squad list a few days ago). That's the best solution I
can give until we can at least make the upgrade script's preflight method
available to the upgrade component before all the files are FTP'd up.

On 9/14/12 4:15 PM, "Nick Savov" <ni...@iowawebcompany.com> wrote:

>Alright, I'm in. Let's start preparing the documentation.
>
>I'll close that bug report and open up another one for a pre-upgrade check
>for magic quote gpc to Off for 2.5 to 3.0. I remember seeing one by
>Michael for a PHP check, so we might be able to couple it with that one.
>
>Thank you Elin, Mark, and Rouven!
>
>Kind regards,
>Nick
>
>> This seems like a significant risk to me. I don't think it's worth
>> incurring potential security issues to support a deprecated,
>> soon-to-be-eliminated feature that most PHP experts say was a mistake
>> to begin with.
>>
>> I agree that working with hosts seems to be a better way to go. And we
>> have time for hosts to get up to speed.
>>
>> In the meantime, we could start a list of hosts in the wiki with
>> whether or not they are compatible with Joomla 3.0. That might be a
>> way to spur them on.
>>
>> Mark
>>

>> On Fri, Sep 14, 2012 at 2:03 PM, Rouven Weßling <m...@rouvenwessling.de>

[Nick Savov]

Thanks Michael!

Can we do the upgrade check within the component before clicking the
update button? If the upgrade check fails, no upgrade button displays.

Kind regards,
Nick

>>> On Fri, Sep 14, 2012 at 2:03 PM, Rouven We�ling <m...@rouvenwessling.de>

[Michael Babker]

Doing that would require us to make the changes in the component that we'd
explicitly need to do so and releasing 2.5.8. 2.5.8 would be the only
supported version in upgrading at that point since it would be able to do
all the dependency checks. That's not to say you couldn't upgrade from
earlier 2.5 versions, but you lose out on that failsafe if your
environment is unsupported.

>>>> On Fri, Sep 14, 2012 at 2:03 PM, Rouven Weßling <m...@rouvenwessling.de>

[elin]

Personally I think it's worth doing a 2.5.8 if we get that as a benefit.

One of my thoughts is that this week we'll draft some kind of email and announcement directed  to hosts  warning them of this, because I think they'll be getting lots of support tickets.

Elin

[Nick Savov]

+1.  It would 50x+ better than what we have now.