ID: 42718 Updated by: [EMAIL PROTECTED] Reported By: arnaud dot lb at gmail dot com Status: Open Bug Type: Filter related Operating System: * PHP Version: 5CVS-2008-11-01 Assigned To: lbarnaud New Comment:
This is a proposed fix for this bug that will keep old behavior. Another fix could be simply to test IF_G(default_filter_flags) against FILTER_FLAG_NO_ENCODE_QUOTES instead of 0. http://ookoo.org/svn/snip/php_5_2-broken_filter_and_magic_quotes.patch Previous Comments: ------------------------------------------------------------------------ [2008-12-06 17:18:40] [EMAIL PROTECTED] Reopening, this patch broke magic_quotes_gpc and has been backed out. ------------------------------------------------------------------------ [2008-11-02 22:07:23] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2008-11-02 13:06:39] [EMAIL PROTECTED] Arnaud, fix it yourself. ------------------------------------------------------------------------ [2007-09-30 06:29:17] [EMAIL PROTECTED] Pierre, he is right, fix it. :) ------------------------------------------------------------------------ [2007-09-29 21:40:46] arnaud dot lb at gmail dot com Thanks for your reply. I'm trying to strip low ascii characters from GET/POST/COOKIE using the filter extension, and the only way to do that is to use the unsafe_raw filter with the FILTER_FLAG_STRIP_LOW flag. The string filter can do that with the FILTER_FLAG_STRIP_LOW flag, but it strips HTML tags too, and I don't want to strip HTML tags. >From the documentation, about the unsafe_raw filter: "Do nothing, optionally strip or encode special characters." It works as expected using filter_var() for example: filter_var("a <b> \000 c", FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW) => "a c" (the null char was striped, but the <b> tag too) filter_var("a <b> \000 c", FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW) => "a <b> c" (only the null char was striped) But it does not work as a default filter. The bug42718.phpt testcase demonstrates that. According to the documentation, I think that the unsafe_raw filter may not be bypassed when default_flags are != 0. This is the only change my patch do: - if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)) { + if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW) || IF_G(default_filter_flags) != 0) { ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42718 -- Edit this bug report at http://bugs.php.net/?id=42718&edit=1
