ID: 42718 Updated by: [EMAIL PROTECTED] Reported By: arnaud dot lb at gmail dot com -Status: Open +Status: Feedback Bug Type: Filter related PHP Version: 5.2.4 -Assigned To: +Assigned To: pajoye New Comment:
"The unsafe_raw filter does nothing by default, but it can "optionally strip or encode special characters", and it is the only filter which is able to do that without doing any other filtering." The string filter with the correct flags should work as you expected. It is normal that the unsafe_raw filter does nothing. What are you trying to achieve exactly? (ie using other filters but it did not work as you expect) Previous Comments: ------------------------------------------------------------------------ [2007-09-24 17:37:09] arnaud dot lb at gmail dot com I made a little (one-line) patch for this bug: https://s3.amazonaws.com/arnaud.lb/filter-bug-42718.patch.txt And a testcase: https://s3.amazonaws.com/arnaud.lb/bug42718.phpt.txt And an other test case to check if the patch does not modify the behavior of the php_sapi_filter() function: - Apply filter, only if filter will do something (unsafe_raw with no flags do nothing) - Else, fallback to magic_quotes_gpc if enabled https://s3.amazonaws.com/arnaud.lb/052.phpt.txt ------------------------------------------------------------------------ [2007-09-20 16:54:55] arnaud dot lb at gmail dot com Description: ------------ The "unsafe_raw" filter is not applied when configured as default filter. I found that the php_sapi_filter() internal function in ext/filter/filter.c intentionally bypass this filter: if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)){ (apply default filter) } else [...] The unsafe_raw filter does nothing by default, but it can "optionally strip or encode special characters", and it is the only filter which is able to do that without doing any other filtering. Reproduce code: --------------- - Prints filter.default and filter.default_flags values, - Check if $_GET['a'] contains a null byte (null bytes may be filtered by FILTER_UNSAFE_RAW with the FILTER_FLAG_STRIP_LOW flag - Check if $_GET['a'] though filter_input() with the same filter/flags contains a null byte. <?php echo "filter.default = " . ini_get('filter.default') . " <br />\n"; echo "filter.default_flags = " . ini_get('filter.default_flags') . " <br />\n"; echo "<br />"; echo "\$_GET['a'] contains \\0: " . (strpos($_GET['a'], "\0") !== false ? 'Yes' : 'No') . " <br />\n"; echo "<br />"; echo "\$_GET['a'] throught filter_var() contains \\0: " . (strpos(filter_var($_GET['a'], FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW), "\0") !== false ? 'Yes' : 'No') . "<br />"; echo "<br />"; ?> Expected result: ---------------- filter.default: unsafe_raw filter.default_flags: 4 $_GET['a'] contains \0: No $_GET['a'] through filter_var() contains \0: No Actual result: -------------- filter.default: unsafe_raw filter.default_flags: 4 $_GET['a'] contains \0: Yes $_GET['a'] through filter_var() contains \0: No ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42718&edit=1
