[PATCH] Bug#42718 (FILTER_UNSAFE_RAW not applied when configured as default filter, even with flags)

Hi Arnaud,

I replied in the bug report, please check it again :)

Thanks for your feedbacks,
--Pierre

Hi,

Here is a patch to fix bug #42718:

http://bugs.php.net/?id=42718&edit=1

The "unsafe_raw" filter is not applied when configured as default
filter.

I found that the php_sapi_filter() internal function in
ext/filter/filter.c intentionally bypass this filter:

if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)){
(apply default filter)
} else [...]

The unsafe_raw filter does nothing by default, but it
can "optionally strip or encode special characters", and it is the
only filter which is able to do that without doing any other
filtering.

I suggest to not bypass the unsafe_raw filter when default_filter_flags is
different than 0 (bug42718.patch attached).

I also wrote a testcase for this bug: bug42718.phpt.

And an other testcase (052.phpt) to check if the patch does not modify the
behavior of the php_sapi_filter() function:

• Apply filter, only if filter will do something (unsafe_raw with no
  flags do nothing)
• Else, fallback to magic_quotes_gpc if enabled

Regards

--TEST--
Bug #42718 (unsafe_raw filter not applied when configured as default filter)
--SKIPIF--
<?php if (!extension_loaded("filter")) die("skip"); ?>
--INI--
magic_quotes_gpc=0
filter.default=unsafe_raw
filter.default_flags=4
--GET--
a=1%00
--FILE--
<?php
echo ini_get('filter.default') . "\n";
echo ini_get('filter.default_flags') . "\n";
echo addcslashes($_GET['a'],"\0") . "\n";
?>
--EXPECT--
unsafe_raw
4
1

--TEST--
fallback to magic_quotes when no filter is to be applied
--SKIPIF--
<?php if (!extension_loaded("filter")) die("skip"); ?>
--INI--
magic_quotes_gpc=1
filter.default=unsafe_raw
filter.default_flags=
--GET--
a=1%00
--FILE--
<?php
echo ini_get('filter.default') . "\n";
echo ini_get('filter.default_flags') . "\n";
echo addcslashes($_GET['a'],"\0") . "\n";
?>
--EXPECT--
unsafe_raw

1\0