#42718 [NEW]: "unsafe_raw" not applied has default filter

[arnaud dot lb at gmail dot com]

From:             arnaud dot lb at gmail dot com
Operating system: 
PHP version:      5.2.4
PHP Bug Type:     Filter related
Bug description:  "unsafe_raw" not applied has default filter

Description:
------------
The "unsafe_raw" filter is not applied when configured as default 
filter.

I found that the php_sapi_filter() internal function in 
ext/filter/filter.c intentionally bypass this filter:

if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)){
 (apply default filter)
} else [...]

The unsafe_raw filter does nothing by default, but it 
can "optionally strip or encode special characters", and it is the 
only filter which is able to do that without doing any other 
filtering.

Reproduce code:
---------------
- Prints filter.default and filter.default_flags values,
- Check if $_GET['a'] contains a null byte (null bytes may be filtered by
FILTER_UNSAFE_RAW with the FILTER_FLAG_STRIP_LOW flag
- Check if $_GET['a'] though filter_input() with the same filter/flags
contains a null byte.

<?php
echo "filter.default = " . ini_get('filter.default') . " <br />\n";
echo "filter.default_flags = " . ini_get('filter.default_flags') . " <br
/>\n";
echo "<br />";
echo "\$_GET['a'] contains \\0: " . (strpos($_GET['a'], "\0") !== false ?
'Yes' : 'No') . " <br />\n";
echo "<br />";
echo "\$_GET['a'] throught filter_var() contains \\0: " .
(strpos(filter_var($_GET['a'], FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW),
"\0") !== false ? 'Yes' : 'No') . "<br />";
echo "<br />";
?>

Expected result:
----------------
filter.default: unsafe_raw
filter.default_flags: 4

$_GET['a'] contains \0: No

$_GET['a'] through filter_var() contains \0: No

Actual result:
--------------
filter.default: unsafe_raw
filter.default_flags: 4

$_GET['a'] contains \0: Yes

$_GET['a'] through filter_var() contains \0: No

-- 
Edit bug report at http://bugs.php.net/?id=42718&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=42718&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=42718&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=42718&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=42718&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=42718&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=42718&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=42718&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=42718&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=42718&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=42718&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=42718&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=42718&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=42718&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=42718&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=42718&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=42718&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=42718&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=42718&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=42718&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=42718&r=mysqlcfg