Re: [PHP-DEV] [PATCH] Bug#42718 (FILTER_UNSAFE_RAW not applied when configured as default filter, even with flags)

Sat, 29 Sep 2007 13:16:42 -0700 

Hi Arnaud,

I replied in the bug report, please check it again :)

Thanks for your feedbacks,
--Pierre

On 9/29/07, Arnaud.lb <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Here is a patch to fix bug #42718:
>
> http://bugs.php.net/?id=42718&edit=1
>
> The "unsafe_raw" filter is not applied when configured as default
> filter.
>
> I found that the php_sapi_filter() internal function in
> ext/filter/filter.c intentionally bypass this filter:
>
> if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)){
>  (apply default filter)
> } else [...]
>
> The unsafe_raw filter does nothing by default, but it
> can "optionally strip or encode special characters", and it is the
> only filter which is able to do that without doing any other
> filtering.
>
> I suggest to not bypass the unsafe_raw filter when default_filter_flags is
> different than 0 (bug42718.patch attached).
>
> I also wrote a testcase for this bug: bug42718.phpt.
>
> And an other testcase (052.phpt) to check if the patch does not modify the
> behavior of the php_sapi_filter() function:
>
> - Apply filter, only if filter will do something (unsafe_raw with no
> flags do nothing)
> - Else, fallback to magic_quotes_gpc if enabled
>
> Regards
>
> --TEST--
> Bug #42718 (unsafe_raw filter not applied when configured as default filter)
> --SKIPIF--
> <?php if (!extension_loaded("filter")) die("skip"); ?>
> --INI--
> magic_quotes_gpc=0
> filter.default=unsafe_raw
> filter.default_flags=4
> --GET--
> a=1%00
> --FILE--
> <?php
> echo ini_get('filter.default') . "\n";
> echo ini_get('filter.default_flags') . "\n";
> echo addcslashes($_GET['a'],"\0") . "\n";
> ?>
> --EXPECT--
> unsafe_raw
> 4
> 1
>
> --TEST--
> fallback to magic_quotes when no filter is to be applied
> --SKIPIF--
> <?php if (!extension_loaded("filter")) die("skip"); ?>
> --INI--
> magic_quotes_gpc=1
> filter.default=unsafe_raw
> filter.default_flags=
> --GET--
> a=1%00
> --FILE--
> <?php
> echo ini_get('filter.default') . "\n";
> echo ini_get('filter.default_flags') . "\n";
> echo addcslashes($_GET['a'],"\0") . "\n";
> ?>
> --EXPECT--
> unsafe_raw
>
> 1\0
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to