Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:32496
Return-Path: <arnaud.lb@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43744 invoked by uid 1010); 29 Sep 2007 14:54:39 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 43729 invoked from network); 29 Sep 2007 14:54:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Sep 2007 14:54:39 -0000
Authentication-Results: pb1.pair.com header.from=arnaud.lb@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=arnaud.lb@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.168 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: arnaud.lb@gmail.com
X-Host-Fingerprint: 66.249.92.168 ug-out-1314.google.com  
Received: from [66.249.92.168] ([66.249.92.168:32526] helo=ug-out-1314.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2B/C2-24983-B276EF64 for <internals@lists.php.net>; Sat, 29 Sep 2007 10:54:36 -0400
Received: by ug-out-1314.google.com with SMTP id a2so1797234ugf
        for <internals@lists.php.net>; Sat, 29 Sep 2007 07:54:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:from:subject:date:user-agent:mime-version:to:content-type:message-id;
        bh=fhRDS4HOBNhGTEsvCHMEf3HyhkJJjSn5y8z1/PwDuEU=;
        b=ZOID8UaMkY47fTc9mRi1+lgK4d8ycNVeHvmGedQ6DvDtZygdBg2lr4JJNs0apihn7xCZmR3fN7n7WHuBgTqsKVjIci+OG1vCmgPzRKem051HV6sJx+3My5ubsyMmeSb1s7MMgpxVUb2xfO+69HjcstJTSTEjyKJKnhJ+LDX+P2Q=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:from:subject:date:user-agent:mime-version:to:content-type:message-id;
        b=pj5VFBYhRqeioknAlzp0Qz5uaFP3cYTvYhlnpvGqQF4gzDGeoPqX4KPZH2wmCfYcQ6YcDoTqcNXGM/SZpuFGhFYsN231nxTxXzusnBYgzdLQOTCzmFwrwmD7bR8oT936pKSJKcxLUzxiiWCTMYot1BPOWPcHmruih2lL+MCzJXU=
Received: by 10.66.220.12 with SMTP id s12mr6473671ugg.1191077672402;
        Sat, 29 Sep 2007 07:54:32 -0700 (PDT)
Received: from noch2.local ( [86.195.229.235])
        by mx.google.com with ESMTPS id 5sm3823861ugc.2007.09.29.07.54.27
        (version=SSLv3 cipher=OTHER);
        Sat, 29 Sep 2007 07:54:28 -0700 (PDT)
Date: Sat, 29 Sep 2007 16:54:26 +0200
User-Agent: KMail/1.9.7
MIME-Version: 1.0
To: "PHP Internals List" <internals@lists.php.net>
Content-Type: Multipart/Mixed;
  boundary="Boundary-00=_icm/Ga/cTW/Ukem"
Message-ID: <200709291654.26242.arnaud.lb@gmail.com>
Subject: [PATCH] Bug#42718 (FILTER_UNSAFE_RAW not applied when configured as default filter, even with flags)
From: arnaud.lb@gmail.com ("Arnaud.lb")

--Boundary-00=_icm/Ga/cTW/Ukem
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

Here is a patch to fix bug #42718:

http://bugs.php.net/?id=42718&edit=1

The "unsafe_raw" filter is not applied when configured as default 
filter.

I found that the php_sapi_filter() internal function in 
ext/filter/filter.c intentionally bypass this filter:

if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)){
 (apply default filter)
} else [...]

The unsafe_raw filter does nothing by default, but it 
can "optionally strip or encode special characters", and it is the 
only filter which is able to do that without doing any other 
filtering.

I suggest to not bypass the unsafe_raw filter when default_filter_flags is 
different than 0 (bug42718.patch attached).

I also wrote a testcase for this bug: bug42718.phpt.

And an other testcase (052.phpt) to check if the patch does not modify the 
behavior of the php_sapi_filter() function:

- Apply filter, only if filter will do something (unsafe_raw with no 
flags do nothing)
- Else, fallback to magic_quotes_gpc if enabled

Regards

--Boundary-00=_icm/Ga/cTW/Ukem
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="bug42718.patch"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
	filename="bug42718.patch"

SW5kZXg6IGV4dC9maWx0ZXIvZmlsdGVyLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL3JlcG9zaXRv
cnkvcGhwLXNyYy9leHQvZmlsdGVyL2ZpbHRlci5jLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjUy
LjIuMzkKZGlmZiAtdSAtcjEuNTIuMi4zOSBmaWx0ZXIuYwotLS0gZXh0L2ZpbHRlci9maWx0ZXIu
Ywk0IEFwciAyMDA3IDIwOjUwOjI2IC0wMDAwCTEuNTIuMi4zOQorKysgZXh0L2ZpbHRlci9maWx0
ZXIuYwkyMyBTZXAgMjAwNyAxNTo0NToyMSAtMDAwMApAQCAtNDAzLDcgKzQwMyw3IEBACiAJCVpf
U1RSTEVOKG5ld192YXIpID0gdmFsX2xlbjsKIAkJWl9UWVBFKG5ld192YXIpID0gSVNfU1RSSU5H
OwogCi0JCWlmICghKElGX0coZGVmYXVsdF9maWx0ZXIpID09IEZJTFRFUl9VTlNBRkVfUkFXKSkg
eworCQlpZiAoIShJRl9HKGRlZmF1bHRfZmlsdGVyKSA9PSBGSUxURVJfVU5TQUZFX1JBVykgfHwg
SUZfRyhkZWZhdWx0X2ZpbHRlcl9mbGFncykgIT0gMCkgewogCQkJenZhbCAqdG1wX25ld192YXIg
PSAmbmV3X3ZhcjsKIAkJCVpfU1RSVkFMKG5ld192YXIpID0gZXN0cm5kdXAoKnZhbCwgdmFsX2xl
bik7CiAJCQlJTklUX1BaVkFMKHRtcF9uZXdfdmFyKTsK

--Boundary-00=_icm/Ga/cTW/Ukem
Content-Type: text/plain;
  charset="iso-8859-1";
  name="bug42718.phpt"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
	filename="bug42718.phpt"

LS1URVNULS0KQnVnICM0MjcxOCAodW5zYWZlX3JhdyBmaWx0ZXIgbm90IGFwcGxpZWQgd2hlbiBj
b25maWd1cmVkIGFzIGRlZmF1bHQgZmlsdGVyKQotLVNLSVBJRi0tCjw/cGhwIGlmICghZXh0ZW5z
aW9uX2xvYWRlZCgiZmlsdGVyIikpIGRpZSgic2tpcCIpOyA/PgotLUlOSS0tCm1hZ2ljX3F1b3Rl
c19ncGM9MApmaWx0ZXIuZGVmYXVsdD11bnNhZmVfcmF3CmZpbHRlci5kZWZhdWx0X2ZsYWdzPTQK
LS1HRVQtLQphPTElMDAKLS1GSUxFLS0KPD9waHAKZWNobyBpbmlfZ2V0KCdmaWx0ZXIuZGVmYXVs
dCcpIC4gIlxuIjsKZWNobyBpbmlfZ2V0KCdmaWx0ZXIuZGVmYXVsdF9mbGFncycpIC4gIlxuIjsK
ZWNobyBhZGRjc2xhc2hlcygkX0dFVFsnYSddLCJcMCIpIC4gIlxuIjsKPz4KLS1FWFBFQ1QtLQp1
bnNhZmVfcmF3CjQKMQo=

--Boundary-00=_icm/Ga/cTW/Ukem
Content-Type: text/plain;
  charset="iso-8859-1";
  name="052.phpt"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
	filename="052.phpt"

LS1URVNULS0KZmFsbGJhY2sgdG8gbWFnaWNfcXVvdGVzIHdoZW4gbm8gZmlsdGVyIGlzIHRvIGJl
IGFwcGxpZWQKLS1TS0lQSUYtLQo8P3BocCBpZiAoIWV4dGVuc2lvbl9sb2FkZWQoImZpbHRlciIp
KSBkaWUoInNraXAiKTsgPz4KLS1JTkktLQptYWdpY19xdW90ZXNfZ3BjPTEKZmlsdGVyLmRlZmF1
bHQ9dW5zYWZlX3JhdwpmaWx0ZXIuZGVmYXVsdF9mbGFncz0KLS1HRVQtLQphPTElMDAKLS1GSUxF
LS0KPD9waHAKZWNobyBpbmlfZ2V0KCdmaWx0ZXIuZGVmYXVsdCcpIC4gIlxuIjsKZWNobyBpbmlf
Z2V0KCdmaWx0ZXIuZGVmYXVsdF9mbGFncycpIC4gIlxuIjsKZWNobyBhZGRjc2xhc2hlcygkX0dF
VFsnYSddLCJcMCIpIC4gIlxuIjsKPz4KLS1FWFBFQ1QtLQp1bnNhZmVfcmF3CgoxXDAK

--Boundary-00=_icm/Ga/cTW/Ukem--