Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94773
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19781 invoked from network); 1 Aug 2016 08:24:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Aug 2016 08:24:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:56602] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 99/90-15377-A370F975 for <internals@lists.php.net>; Mon, 01 Aug 2016 04:24:27 -0400
Received: (qmail 100520 invoked by uid 89); 1 Aug 2016 08:24:23 -0000
Received: from unknown (HELO mail-qt0-f174.google.com) (yohgaki@ohgaki.net@209.85.216.174)
  by 0 with ESMTPA; 1 Aug 2016 08:24:23 -0000
Received: by mail-qt0-f174.google.com with SMTP id x25so100264007qtx.2
        for <internals@lists.php.net>; Mon, 01 Aug 2016 01:24:22 -0700 (PDT)
X-Gm-Message-State: AEkooutOW7bouJ1+SzcdXakanJK+MCazT9pXUFRj7Di4eAxVprc20QCuTK/SlFfS0sZVmN+AiL6rlXL668U8LQ==
X-Received: by 10.200.38.107 with SMTP id v40mr87939183qtv.76.1470039856406;
 Mon, 01 Aug 2016 01:24:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Mon, 1 Aug 2016 01:23:37 -0700 (PDT)
Date: Mon, 1 Aug 2016 17:23:37 +0900
X-Gmail-Original-Message-ID: <CAGa2bXa8Oj=xi6ZUKYFe5XXuhZvOL6JT=31QHoq8EG-9veGDBg@mail.gmail.com>
Message-ID: <CAGa2bXa8Oj=xi6ZUKYFe5XXuhZvOL6JT=31QHoq8EG-9veGDBg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Adding validate_var_array()/validate_input_array() to which version?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

We have filter_var_array()/filter_input_array() currently. They are
designed as filter functions.  i.e. They convert offending elements to
NULL/FALSE. Therefore, it's difficult to validate and see if inputs
are valid with specified specifications.

https://github.com/php/php-src/pull/2048

This patch adds true validation functions
 - validate_var_array() - Almost the same as filter_var_array() except
it returns scalar FALSE on validation failure(s), instead of filtered
array.
 - validate_input_array() - Almost the same as filter_input_array()
except it returns scalar FALSE on validation failure(s), instead of
filtered array.


These functions are handy for input validation that stops script
execution upon invalid(attacker's) inputs.

Question is which version should I target for?
It's simple enough patch to be merged to 7.1. IMO.

Comments are appreciated!

Regards,

P.S. It's possible to return array that contains offending values. It
is not included since users can store whole offending input array.
Whole input is more useful for attack analysis.

--
Yasuo Ohgaki
yohgaki@ohgaki.net