Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26184 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40626 invoked by uid 1010); 23 Oct 2006 15:28:24 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 40611 invoked from network); 23 Oct 2006 15:28:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2006 15:28:24 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.173 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 66.249.92.173 ug-out-1314.google.com Linux 2.4/2.6 Received: from [66.249.92.173] ([66.249.92.173:10072] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A3/00-39788-59FDC354 for ; Mon, 23 Oct 2006 11:28:24 -0400 Received: by ug-out-1314.google.com with SMTP id 80so1206437ugb for ; Mon, 23 Oct 2006 08:28:17 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ccE8T3K9Rh/lw+BTtbof6jWp6G9kDjUvgJ+t1Ml1OKJNzlT3TbQcdu54J2o7+dMFw0ATUpXp0u7L4wsH5HXEdhYg6/zXYlgv2HhBb9IV63B4krLx4qHfwE8GyAN8FIK5rk+XG8yVXXP4rXTD9qzVgP/auxAkbCetFvU7pFWiYEY= Received: by 10.78.149.15 with SMTP id w15mr7516198hud; Mon, 23 Oct 2006 08:28:17 -0700 (PDT) Received: by 10.78.137.6 with HTTP; Mon, 23 Oct 2006 08:28:17 -0700 (PDT) Message-ID: Date: Mon, 23 Oct 2006 17:28:17 +0200 To: "Ilia Alshanetsky" Cc: "Stefan Esser" , "PHP internals" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <453C81F8.7080606@hardened-php.net> Subject: Re: [PHP-DEV] PHP 5.2.0 release with "broken" input filters From: pierre.php@gmail.com (Pierre) Hello, On 10/23/06, Ilia Alshanetsky wrote: > > On 23-Oct-06, at 4:48 AM, Stefan Esser wrote: > > > Hi, > > > > I just wanted to remind you that PHP 5.2.0 will be released with > > broken > > and inconsistent input filtering. > > > > Right now _SERVER is only passed through the input filter for apache 1 > > SAPI. All other SAPIs do not pass _SERVER variables through the > > filter. > > This will be a major headache for people using ext/filter etc... > > In some SAPIs such as CLI it makes little sense to filter $_SERVER in > majority of cases. As a whole I do not believe $_SERVER in its > entirety needs to be filtered, given that at least 1/2 the data there > is not based on user-input. My suggestion is that people use > filter_var() function to filter components of the $_SERVER super- > global that they are using. > > That said, in future release there are plans to extend support to > Apache 2 and cgi/fcgi sapis as well as add handling for $_REQUEST. Yes, and more generally as soon as we fix the leaks and the other troubles we spoted recently. I still like to disable ENV/SERVER support in 5.2.0 (just like _REQUEST), we can restore it later. --Pierre