Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26182 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34151 invoked by uid 1010); 23 Oct 2006 15:19:07 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 34136 invoked from network); 23 Oct 2006 15:19:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2006 15:19:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.166.179 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: iliaal@gmail.com X-Host-Fingerprint: 64.233.166.179 py-out-1112.google.com Linux 2.4/2.6 Received: from [64.233.166.179] ([64.233.166.179:9950] helo=py-out-1112.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BA/DC-41582-96DDC354 for ; Mon, 23 Oct 2006 11:19:06 -0400 Received: by py-out-1112.google.com with SMTP id t32so222987pyc for ; Mon, 23 Oct 2006 08:19:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender; b=R/bdijm59Nn+LxWtUQ5nHyyEblDaEIafOMJo22oZnEz8O+MvLNLaO3twdf913HOiWiqLlf5OucJ2ZRV0tf024InD9vNOo6eMpyrcG5b29Pk/Hh51JZh7580vXkrBzVM3Kdj6HzLpy6fidNRROLPu2Ar2pYPKma6KuQJ7E4s4aHM= Received: by 10.35.18.4 with SMTP id v4mr6731170pyi; Mon, 23 Oct 2006 08:19:02 -0700 (PDT) Received: from ?192.168.1.32? ( [204.101.63.110]) by mx.google.com with ESMTP id 5sm846878nzk.2006.10.23.08.19.01; Mon, 23 Oct 2006 08:19:02 -0700 (PDT) In-Reply-To: <453C81F8.7080606@hardened-php.net> References: <453C81F8.7080606@hardened-php.net> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: Cc: PHP internals Content-Transfer-Encoding: 7bit Date: Mon, 23 Oct 2006 11:18:55 -0400 To: Stefan Esser X-Mailer: Apple Mail (2.752.3) Sender: Ilia Alshanetsky Subject: Re: [PHP-DEV] PHP 5.2.0 release with "broken" input filters From: ilia@prohost.org (Ilia Alshanetsky) On 23-Oct-06, at 4:48 AM, Stefan Esser wrote: > Hi, > > I just wanted to remind you that PHP 5.2.0 will be released with > broken > and inconsistent input filtering. > > Right now _SERVER is only passed through the input filter for apache 1 > SAPI. All other SAPIs do not pass _SERVER variables through the > filter. > This will be a major headache for people using ext/filter etc... In some SAPIs such as CLI it makes little sense to filter $_SERVER in majority of cases. As a whole I do not believe $_SERVER in its entirety needs to be filtered, given that at least 1/2 the data there is not based on user-input. My suggestion is that people use filter_var() function to filter components of the $_SERVER super- global that they are using. That said, in future release there are plans to extend support to Apache 2 and cgi/fcgi sapis as well as add handling for $_REQUEST. Ilia Alshanetsky