ID: 42718 User updated by: arnaud dot lb at gmail dot com -Summary: "unsafe_raw" not applied has default filter Reported By: arnaud dot lb at gmail dot com Status: Open Bug Type: Filter related PHP Version: 5.2.4 New Comment:
I made a little (one-line) patch for this bug: https://s3.amazonaws.com/arnaud.lb/filter-bug-42718.patch.txt And a testcase: https://s3.amazonaws.com/arnaud.lb/bug42718.phpt.txt And an other test case to check if the patch does not modify the behavior of the php_sapi_filter() function: - Apply filter, only if filter will do something (unsafe_raw with no flags do nothing) - Else, fallback to magic_quotes_gpc if enabled https://s3.amazonaws.com/arnaud.lb/052.phpt.txt Previous Comments: ------------------------------------------------------------------------ [2007-09-20 16:54:55] arnaud dot lb at gmail dot com Description: ------------ The "unsafe_raw" filter is not applied when configured as default filter. I found that the php_sapi_filter() internal function in ext/filter/filter.c intentionally bypass this filter: if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)){ (apply default filter) } else [...] The unsafe_raw filter does nothing by default, but it can "optionally strip or encode special characters", and it is the only filter which is able to do that without doing any other filtering. Reproduce code: --------------- - Prints filter.default and filter.default_flags values, - Check if $_GET['a'] contains a null byte (null bytes may be filtered by FILTER_UNSAFE_RAW with the FILTER_FLAG_STRIP_LOW flag - Check if $_GET['a'] though filter_input() with the same filter/flags contains a null byte. <?php echo "filter.default = " . ini_get('filter.default') . " <br />\n"; echo "filter.default_flags = " . ini_get('filter.default_flags') . " <br />\n"; echo "<br />"; echo "\$_GET['a'] contains \\0: " . (strpos($_GET['a'], "\0") !== false ? 'Yes' : 'No') . " <br />\n"; echo "<br />"; echo "\$_GET['a'] throught filter_var() contains \\0: " . (strpos(filter_var($_GET['a'], FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW), "\0") !== false ? 'Yes' : 'No') . "<br />"; echo "<br />"; ?> Expected result: ---------------- filter.default: unsafe_raw filter.default_flags: 4 $_GET['a'] contains \0: No $_GET['a'] through filter_var() contains \0: No Actual result: -------------- filter.default: unsafe_raw filter.default_flags: 4 $_GET['a'] contains \0: Yes $_GET['a'] through filter_var() contains \0: No ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42718&edit=1
