Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26189 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71614 invoked by uid 1010); 23 Oct 2006 16:12:18 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 71599 invoked from network); 23 Oct 2006 16:12:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2006 16:12:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.168 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 66.249.92.168 ug-out-1314.google.com Linux 2.4/2.6 Received: from [66.249.92.168] ([66.249.92.168:15741] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 17/E4-39788-BD9EC354 for ; Mon, 23 Oct 2006 12:12:17 -0400 Received: by ug-out-1314.google.com with SMTP id t30so1070561ugc for ; Mon, 23 Oct 2006 09:12:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RsoZnnn1+9zgpCADXZ5XWoq0MfMDiqamVTymprtwnG0EF9Z+hRgY9RKvIRax+b7lX8UfIAQ6HPag7tX2TJFKqAfvAVkJLQZm14UdoVkDu5pyqeavZXO76UZ1qVKOCOnMEldt72f/81Htslvj5tiU+vk+lGZw3+WqljR/4q9XBl0= Received: by 10.78.128.11 with SMTP id a11mr7606580hud; Mon, 23 Oct 2006 09:12:07 -0700 (PDT) Received: by 10.78.137.6 with HTTP; Mon, 23 Oct 2006 09:12:07 -0700 (PDT) Message-ID: Date: Mon, 23 Oct 2006 18:12:07 +0200 To: "Ilia Alshanetsky" Cc: "Stefan Esser" , "PHP internals" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <453C81F8.7080606@hardened-php.net> Subject: Re: [PHP-DEV] PHP 5.2.0 release with "broken" input filters From: pierre.php@gmail.com (Pierre) Hello, On 10/23/06, Pierre wrote: > Hello, > > On 10/23/06, Ilia Alshanetsky wrote: > > > > On 23-Oct-06, at 4:48 AM, Stefan Esser wrote: > > > > > Hi, > > > > > > I just wanted to remind you that PHP 5.2.0 will be released with > > > broken > > > and inconsistent input filtering. > > > > > > Right now _SERVER is only passed through the input filter for apache 1 > > > SAPI. All other SAPIs do not pass _SERVER variables through the > > > filter. > > > This will be a major headache for people using ext/filter etc... > > > > In some SAPIs such as CLI it makes little sense to filter $_SERVER in > > majority of cases. As a whole I do not believe $_SERVER in its > > entirety needs to be filtered, given that at least 1/2 the data there > > is not based on user-input. My suggestion is that people use > > filter_var() function to filter components of the $_SERVER super- > > global that they are using. > > > > That said, in future release there are plans to extend support to > > Apache 2 and cgi/fcgi sapis as well as add handling for $_REQUEST. > > Yes, and more generally as soon as we fix the leaks and the other > troubles we spoted recently. I still like to disable ENV/SERVER > support in 5.2.0 (just like _REQUEST), we can restore it later. I just discussed with Ilia about this problem. 5.2.0 will be kept as it is now, only the apache1 sapi will be supported. Other sapi will be introduced for 5.2.1. Ilia already have a patch for apache2 sapi support, it will be commited in HEAD as soon as possible, other will follow. Thanks for the head up, --Pierre