php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67296 filter_input doesn't validate variables set by nginx/php-fpm
Submitted: 2014-05-16 22:34 UTC Modified: 2014-07-02 20:24 UTC
From: fleshgrinder at gmx dot at Assigned:
Status: Duplicate Package: Filter related
PHP Version: 5.6.0beta3 OS: Debian Wheezy
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fleshgrinder at gmx dot at
New email:
PHP Version: OS:

 

 [2014-05-16 22:34 UTC] fleshgrinder at gmx dot at
Description:
------------
I'm running nginx which communicates via FastCGI to php-fpm. The filter_input() function doesn't validate any of the variables which are sent via FastCGI within the global $_SERVER array.

Test script:
---------------
<?php

foreach ($_SERVER as $variable_name => $value) {
  var_dump($value);
  var_dump(filter_input(INPUT_SERVER, $variable_name, FILTER_UNSAFE_RAW));
}

?>

Expected result:
----------------
The filter_input() function should validate the variable within the $_SERVER array. I know that filter_input() can't be used if you set something in your code but in my opinion it should accept the data that was sent via FastCGI. Otherwise the function is pretty useless for non Apache users.

Actual result:
--------------
Always returns NULL.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-03 07:45 UTC] tyrael@php.net
-Status: Open +Status: Feedback
 [2014-06-03 07:45 UTC] tyrael@php.net
any chance that you are using auto_globals_jit?
somebody else also reported on the mailing list that input_filter won't trigger the jit variable, so I wonder if this is the same or a different bug.
 [2014-06-03 08:21 UTC] fleshgrinder at gmx dot at
Yes, I am. Here's my complete PHP configuration:

https://github.com/MovLib/www/blob/develop/etc/php/php.ini
 [2014-07-02 20:24 UTC] tyrael@php.net
-Status: Feedback +Status: Duplicate
 [2014-07-02 20:24 UTC] tyrael@php.net
I've verified that this isn't related to auto_globals_jit, but a duplicate of https://bugs.php.net/bug.php?id=49184 and seems to be present for a while now. :/
I will try to get it fixed, I will close this as a duplicate, you can track the progress on the other bugreport.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC