php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #57003 filter.default value inadecuate for real life
Submitted: 2006-05-07 02:51 UTC Modified: 2006-09-29 11:51 UTC
From: judas dot iscariote at gmail dot com Assigned: pajoye (profile)
Status: Closed Package: filter (PECL)
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
 [2006-05-07 02:51 UTC] judas dot iscariote at gmail dot com
Description:
------------
Im aware this extension is likely to be included in 5.2 or 6.0 , so I think now may be a prudent time to ask this.


I very much like this extension, I use it right now,and Im happy it will be available in the core, however, I think the filter.default value is too strict for being the "default", and will break an insane amount of code out there, I don't think people wants this extension to be the "magic_quotesv2"..


Reproduce code:
---------------
not needed, just pick any of popular software used out there in the real world and see how input gets mangled,POST submitted html data in weblogs "being stripped of XML/HTML tags and other evil things that can cause XSS problems"[1]

[1] http://files.derickrethans.nl/filter_extension.html

Expected result:
----------------
I expect extension to be neutral by default.

filter.default = unsafe_raw

prefered in in the "hardcoded" STD_PHP_INI_ENTRY but php.ini is also OK, with a big warning for clueless sysadmins.

and no code, or server config  to add/change to support this new , very nice addition.

patch :

diff -u -a -r1.37 filter.c
--- filter.c    1 May 2006 17:14:40 -0000       1.37
+++ filter.c    7 May 2006 06:34:51 -0000
@@ -138,7 +138,7 @@
 }

 PHP_INI_BEGIN()
-       STD_PHP_INI_ENTRY("filter.default",   "string", PHP_INI_ALL, UpdateDefaultFilter, default_filter, zend_filter_globals, filter_globals)
+       STD_PHP_INI_ENTRY("filter.default",   "unsafe_raw", PHP_INI_ALL, UpdateDefaultFilter, default_filter, zend_filter_globals, filter_globals)
        PHP_INI_ENTRY("filter.default_flags", NULL,     PHP_INI_ALL, OnUpdateFlags)
 PHP_INI_END()
 /* }}} */


Actual result:
--------------
filter.default = string 

breaking existing code, that will generates phone calls,loss of hair :) , will break BC and will require us, the PHP users, to modify our perfectly working code/server config (once again).

For dedicated systems, this is not a problem, but for shared enviroments is likely to become a nightmare with such default value.

Please, think about this in the near future, thanks in advance.








 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-05-08 12:37 UTC] pierre dot php at gmail dot com
Thank you for taking the time to report a problem with the package.
Unfortunately you are not using a current version of the package -- 
the problem might already be fixed. Please download a new
version from http://pecl.php.net/packages.php

If you are able to reproduce the bug with one of the latest
versions, please change the package version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PECL.

PHP 5.2 filter.default will be unsafe_raw. No breakage should occur. PHP 6 will certainly reintroduced `string` as the default.
 [2006-05-08 12:37 UTC] derick@php.net
Has already been fixed just earlier today.
 [2006-05-08 15:43 UTC] judas dot iscariote at gmail dot com
Thanks Derick, I hope the default filter will always be unsafe_raw, and no 'string' in PHP6 as Pierre says, that will generate other unneded breakage
thanks.
 [2006-05-08 16:00 UTC] judas dot iscariote at gmail dot com
I checked afresh copy from the CVS, and it PHPinfo stills displays string as default, although the DEFAULT_FILTER constant has been updated, but not the ini entry I think.
 [2006-05-08 16:34 UTC] pierre dot php at gmail dot com
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

I actually changed the default ini earlier today. I set the DEFAULT_FILTER to UNSAFE_RAW.

The DEFAULT_FILTER is used to set the default value of 'filter.default'.

Be sure to run `make clean` and then `make`. Some compilers do not detected changes in .h files.

If for some reasons it does not work for you, can you please reopen this bug and tell me what's going wrong.
 [2006-05-08 17:00 UTC] judas dot iscariote at gmail dot com
Pierre, sorry to bug you again but I checked a **fresh** copy from the CVS, then rebuoild as usual and using 

extension=filter.so as the only directive related to this extension, however it stills defaults to 'string'.

Im missing something ?
 [2006-05-08 17:26 UTC] pierre dot php at gmail dot com
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

No, my fault. You were right, I forgot the string name replacemet, fixed now. I'm getting blind ;)
 [2006-05-08 17:34 UTC] judas dot iscariote at gmail dot com
Now it works as expected , thank you very much Pierre... and Im getting blind too ;-)
 [2006-08-08 18:07 UTC] pecl at seven dot net dot nz
Hi, just saying that this has regressed back to "string" by default in the current PECL version.
 [2006-08-08 18:09 UTC] pecl at seven dot net dot nz
Oops, just realised this applies to CVS, and the latest released version has not changed since. Ignore the above sorry.
 [2006-09-29 11:25 UTC] info at optima-software dot de
All my web-apps like Wordpress, Joomla, phpMyAdmin did not work correctly since last week.

I ragged out my brain, why I can't POST html-Tags in form-fields anymore.

Had cost me about 20 more grey hairs.
THX
;-)
 [2006-09-29 11:51 UTC] pierre dot php at gmail dot com
Yes, the change is only in 5.2.0RC4 and pecl CVS.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 21:01:30 2024 UTC