Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26174 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 22835 invoked by uid 1010); 23 Oct 2006 10:18:14 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 22819 invoked from network); 23 Oct 2006 10:18:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2006 10:18:14 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.173 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 66.249.92.173 ug-out-1314.google.com Linux 2.4/2.6 Received: from [66.249.92.173] ([66.249.92.173:20358] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7E/8C-41582-5E69C354 for ; Mon, 23 Oct 2006 06:18:14 -0400 Received: by ug-out-1314.google.com with SMTP id 80so1126691ugb for ; Mon, 23 Oct 2006 03:18:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MI60F9rwkSGLj8lPwFMm2CwU/+JsMyjznoGdc90ifosqr86FJ4W/TW2yWir4gN/yFcZ2xaVlST40oVzStNVdlI37/reKrdXSzjkH/MWDNpQ6NsxKuBF1h8m2n4ackbr75JCjyk86bhA59VBDDEscjhrlE4DLgejyYsINIvkiFQU= Received: by 10.78.193.19 with SMTP id q19mr7145364huf; Mon, 23 Oct 2006 03:18:13 -0700 (PDT) Received: by 10.78.137.6 with HTTP; Mon, 23 Oct 2006 03:18:13 -0700 (PDT) Message-ID: Date: Mon, 23 Oct 2006 12:18:13 +0200 To: "Stefan Esser" Cc: "PHP internals" In-Reply-To: <453C81F8.7080606@hardened-php.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <453C81F8.7080606@hardened-php.net> Subject: Re: [PHP-DEV] PHP 5.2.0 release with "broken" input filters From: pierre.php@gmail.com (Pierre) Hello Stefan, On 10/23/06, Stefan Esser wrote: > Hi, > > I just wanted to remind you that PHP 5.2.0 will be released with broken > and inconsistent input filtering. > > Right now _SERVER is only passed through the input filter for apache 1 > SAPI. All other SAPIs do not pass _SERVER variables through the filter. While discussing a couple bugs related to SERVER and ENV with Ilia (empty value, leaks and JIT problems in other SAPI or CLI), we decided to disable them if no soloution has been found for these two inputs. They are still present for now, during the RC phase. The problem is to keep JIT working even when a default filter is defined, it makes little sense to initialize and duplicate these variable during the sapi filtering step. > This will be a major headache for people using ext/filter etc... etc...? --Pierre