ID: 48727 Updated by: [email protected] Reported By: matthew dot wilkinson at gmail dot com -Status: Open +Status: Bogus Bug Type: Filter related Operating System: Irrelevant PHP Version: 5.2.10 New Comment:
Definitely not. This is the only thing that allows someone to enforce a server-wide security policy on questionable code. And yes, it is magic_quotes-like, but it is magic_quotes done right. Having code be responsible for its own filtering has demonstrably failed miserably. With a default filter you have what I like to call a data firewall, much like a network firewall. You filter everything by default and then poke holes in that data firewall from your application. The traditional approach of letting everything through and then trying to remember to apply filters in the right places simply doesn't work. There should also be very few places where you need the raw user data. You should document those places so security-aware users can audit and apply their own data security in those places. Previous Comments: ------------------------------------------------------------------------ [2009-06-29 21:39:43] matthew dot wilkinson at gmail dot com Description: ------------ While the data filtering extension is a fantastic thing, is providing the filter.default configuration option not just presenting a repeat of what magic quotes brought? ie. scripts will have to check if inputs are already filtered, potentially have to unfilter them or work around it. It should be the scripts responsibility to filter inputs if they need to be, and as magic quotes proved, when PHP tries to do it for the programmer, and in a configurable, non-consistent way, it becomes a hassle and inconvenience rather than a security feature. For these reasons, I think the filter.default and filter.default_flags configuration options should be removed, and no filtering done by PHP unless a script explicitly uses the filter_* functions. Reproduce code: --------------- --- >From manual page: filter.configuration --- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48727&edit=1
