Re: [PHP-DEV] request data filter

2003-01-16 Thread Maxim Maletsky
Rasmus Lerdorf [EMAIL PROTECTED] wrote... : this would likely have different security policies, but I do think a general hook is something that would be useful to all of PHP. A huge number of web apps today are extremely vulnerable to cross-site-scripting attacks. Occasionally developers

Re: [PHP-DEV] request data filter

2003-01-16 Thread Moriyoshi Koizumi
It looks like a mess indeed, and there seems a thought that encoding conversion and variable registration should be separated into two phases. However doing so doesn't make sense because some of multibyte characters contains [, ], or = and they cannot be handled properly in the ordinary query

Re: [PHP-DEV] request data filter

2003-01-16 Thread Zeev Suraski
At 02:52 16/01/2003, Rasmus Lerdorf wrote: In trying to implement a security policy I need to pass all user-supplied data (GET/POST/Cookie) through a filter function which implements this security. This isn't all that hard to implement as an extension through new 4.3 treat_data and post_handler

Re: [PHP-DEV] request data filter

2003-01-16 Thread Rasmus Lerdorf
I cannot agree more. There is only so much you can do outside the PHP (as I do in mod_security). I've finished the code. I'll run it through its paces here and commit it soon. -Rasmus -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit:

[PHP-DEV] request data filter

2003-01-15 Thread Rasmus Lerdorf
In trying to implement a security policy I need to pass all user-supplied data (GET/POST/Cookie) through a filter function which implements this security. This isn't all that hard to implement as an extension through new 4.3 treat_data and post_handler hooks, however it gets messy when you throw

Re: [PHP-DEV] request data filter

2003-01-15 Thread George Schlossnagle
You consider running the apache_hooks code? This should be simple there. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] request data filter

2003-01-15 Thread Rasmus Lerdorf
On Wed, 15 Jan 2003, George Schlossnagle wrote: You consider running the apache_hooks code? This should be simple there. You mean do the filtering straight from a PHP script that gets called from a hook? That's a lot of looping through a bunch of arrays. This has to happen on every

Re: [PHP-DEV] request data filter

2003-01-15 Thread George Schlossnagle
You could have your custom C extension be called as one of the hooks. On Wednesday, January 15, 2003, at 09:42 PM, Rasmus Lerdorf wrote: On Wed, 15 Jan 2003, George Schlossnagle wrote: You consider running the apache_hooks code? This should be simple there. You mean do the filtering

Re: [PHP-DEV] request data filter

2003-01-15 Thread Rasmus Lerdorf
You could have your custom C extension be called as one of the hooks. I suppose I could munge with the apache tables directly in a hook before the data is read by the standard treat_data hook, although for post data I am not sure I have any way to get in there before the ap_get_client_block()