ID: 42718
Updated by: [EMAIL PROTECTED]
Reported By: arnaud dot lb at gmail dot com
-Status: Open
+Status: Assigned
Bug Type: Filter related
PHP Version: 5.2.4
Assigned To: pajoye
New Comment:
Pierre, he is right, fix it. :)
Previous Comments:
------------------------------------------------------------------------
[2007-09-29 21:40:46] arnaud dot lb at gmail dot com
Thanks for your reply.
I'm trying to strip low ascii characters from GET/POST/COOKIE using
the filter extension, and the only way to do that is to use the
unsafe_raw filter with the FILTER_FLAG_STRIP_LOW flag.
The string filter can do that with the FILTER_FLAG_STRIP_LOW flag,
but it strips HTML tags too, and I don't want to strip HTML tags.
>From the documentation, about the unsafe_raw filter:
"Do nothing, optionally strip or encode special characters."
It works as expected using filter_var() for example:
filter_var("a <b> \000 c", FILTER_SANITIZE_STRING,
FILTER_FLAG_STRIP_LOW)
=> "a c" (the null char was striped, but the <b> tag too)
filter_var("a <b> \000 c", FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW)
=> "a <b> c" (only the null char was striped)
But it does not work as a default filter. The bug42718.phpt testcase
demonstrates that.
According to the documentation, I think that the unsafe_raw filter
may not be bypassed when default_flags are != 0. This is the only
change my patch do:
- if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)) {
+ if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW) ||
IF_G(default_filter_flags) != 0) {
------------------------------------------------------------------------
[2007-09-29 20:04:23] [EMAIL PROTECTED]
"The unsafe_raw filter does nothing by default, but it
can "optionally strip or encode special characters", and it is the
only filter which is able to do that without doing any other
filtering."
The string filter with the correct flags should work as you expected.
It is normal that the unsafe_raw filter does nothing.
What are you trying to achieve exactly? (ie using other filters but it
did not work as you expect)
------------------------------------------------------------------------
[2007-09-24 17:37:09] arnaud dot lb at gmail dot com
I made a little (one-line) patch for this bug:
https://s3.amazonaws.com/arnaud.lb/filter-bug-42718.patch.txt
And a testcase:
https://s3.amazonaws.com/arnaud.lb/bug42718.phpt.txt
And an other test case to check if the patch does not modify the
behavior of the php_sapi_filter() function:
- Apply filter, only if filter will do something (unsafe_raw with no
flags do nothing)
- Else, fallback to magic_quotes_gpc if enabled
https://s3.amazonaws.com/arnaud.lb/052.phpt.txt
------------------------------------------------------------------------
[2007-09-20 16:54:55] arnaud dot lb at gmail dot com
Description:
------------
The "unsafe_raw" filter is not applied when configured as default
filter.
I found that the php_sapi_filter() internal function in
ext/filter/filter.c intentionally bypass this filter:
if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)){
(apply default filter)
} else [...]
The unsafe_raw filter does nothing by default, but it
can "optionally strip or encode special characters", and it is the
only filter which is able to do that without doing any other
filtering.
Reproduce code:
---------------
- Prints filter.default and filter.default_flags values,
- Check if $_GET['a'] contains a null byte (null bytes may be filtered
by FILTER_UNSAFE_RAW with the FILTER_FLAG_STRIP_LOW flag
- Check if $_GET['a'] though filter_input() with the same filter/flags
contains a null byte.
<?php
echo "filter.default = " . ini_get('filter.default') . " <br />\n";
echo "filter.default_flags = " . ini_get('filter.default_flags') . "
<br />\n";
echo "<br />";
echo "\$_GET['a'] contains \\0: " . (strpos($_GET['a'], "\0") !== false
? 'Yes' : 'No') . " <br />\n";
echo "<br />";
echo "\$_GET['a'] throught filter_var() contains \\0: " .
(strpos(filter_var($_GET['a'], FILTER_UNSAFE_RAW,
FILTER_FLAG_STRIP_LOW), "\0") !== false ? 'Yes' : 'No') . "<br />";
echo "<br />";
?>
Expected result:
----------------
filter.default: unsafe_raw
filter.default_flags: 4
$_GET['a'] contains \0: No
$_GET['a'] through filter_var() contains \0: No
Actual result:
--------------
filter.default: unsafe_raw
filter.default_flags: 4
$_GET['a'] contains \0: Yes
$_GET['a'] through filter_var() contains \0: No
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42718&edit=1
