PHP 5.2.7 *BEWARE* magic_quotes_gpc broken

Two days ago I blogged about the release of PHP 5.2.7 and how it fixes several security bugs. Because some are mentioned and some are not mentioned in the Changelog, it is usually advised to upgrade to new PHP versions instead of using distribution packages with security backports. The problem with security backports and incomplete changelogs is that security bugs not being mentioned in the changelog are unknown to the distributions and therefore the necessary fixes will not be backported.

But now it turns out that upgrading to PHP 5.2.7 is not a good idea either, because a change in the ext/filter extension that by default processes all incoming data, broke the magic_quotes_gpc feature. While magic_quotes_gpc itself is deprecated and it is recommended to not rely on it as protection against SQL injection, it is still used in many legacy applications that become very insecure once it is turned off. And exactly that happens with the upgrade to PHP 5.2.7. The fix for this was already committed to the PHP CVS and PHP 5.2.8 will be released next week.

Administrators should be able to protect against this until the release of PHP 5.2.8 by recompiling PHP and disabling ext/filter.