Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26204 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60833 invoked by uid 1010); 23 Oct 2006 19:54:46 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 60807 invoked from network); 23 Oct 2006 19:54:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2006 19:54:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:2458] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FA/92-39788-10E1D354 for ; Mon, 23 Oct 2006 15:54:45 -0400 Received: (qmail 24288 invoked by uid 98); 23 Oct 2006 19:54:42 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-1.25 (clamdscan: 0.88.4/2080. Clear:RC:1(127.0.0.1):. Processed in 1.458937 secs); 23 Oct 2006 19:54:42 -0000 X-Qmail-Scanner-Mail-From: ceo@l-i-e.com via o2.hostbaby.com X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 1.458937 secs) Received: from unknown (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 23 Oct 2006 19:54:40 -0000 Received: from 208.195.234.246 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Mon, 23 Oct 2006 14:54:40 -0500 (CDT) Message-ID: <30776.208.195.234.246.1161633280.squirrel@www.l-i-e.com> In-Reply-To: <453CFE17.5020809@lerdorf.com> References: <453C81F8.7080606@hardened-php.net> <453CFE17.5020809@lerdorf.com> Date: Mon, 23 Oct 2006 14:54:40 -0500 (CDT) To: "Rasmus Lerdorf" Cc: "Ilia Alshanetsky" , "PHP internals" Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] PHP 5.2.0 release with "broken" input filters From: ceo@l-i-e.com ("Richard Lynch") On Mon, October 23, 2006 12:38 pm, Rasmus Lerdorf wrote: > I had left out SERVER filtering in the initial version for much the > same > reasoning, but it turns out that a good chunk of holes were due to the > fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying to > teach people which SERVER vars are safe and which aren't isn't a fun > task and the whole point of the filter extension is to take away the > guessing game. Perhaps in 6.0 one could consider having: $_SERVER $_SERVER_DIRTY or some similar scheme so that people *know* there is something "wrong" with just blindly using that data... Or rename it, so it's not "SERVER" for user-supplied data... I mean, you've labeled it "SERVER" so I figure it comes from the SERVER, right? Not from the USER... I know, that's a stupid way to look at things, but there it is. PS Digging the Yahoo! Maps API :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?