php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79237 filter_var limited to 8192 characters in input string
Submitted: 2020-02-07 03:29 UTC Modified: 2020-02-07 10:43 UTC
From: murray at focus-computing dot com dot au Assigned:
Status: Verified Package: *Regular Expressions
PHP Version: 7.3Git-2020-02-07 (Git) OS: Debian 4.19.67-2+deb10u1 (2019-0
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-02-07 03:29 UTC] murray at focus-computing dot com dot au
Description:
------------
I was testing some input being passed via a parameter to my script.  I was getting an error indicating that the value passed was invalid, yet it didn't contain any of the strings I was searching for.  
I went through the process of shortening the string and when I got below 8192 chars in length it worked, over 8192 chars in length it would fail.

I also tried this on PHP v7.1.32 and the exact same code on my Mac OSX which worked correctly.

Test script:
---------------
filter_var(trim($_REQUEST['parms']), FILTER_VALIDATE_REGEXP, array("options" => array("regexp" => "/^((?!union select|union all|\'A=|select char).)*$/im")));

Expected result:
----------------
A) filter_var should handle strings longer than 8192 chars

OR

B) Add documentation to filter_var manual entry indicating maximum length of string.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-07 08:03 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-02-07 08:03 UTC] cmb@php.net
Please try again with pcre.jit=0 (unless you did already).  With
pcre.jit=1, I get PCRE2_ERROR_JIT_STACKLIMIT[1] internally.

[1] <https://www.pcre.org/current/doc/html/pcre2api.html#SEC31>
 [2020-02-07 09:41 UTC] murray at focus-computing dot com dot au
-Status: Feedback +Status: Assigned
 [2020-02-07 09:41 UTC] murray at focus-computing dot com dot au
I tried pcre.jit=0 and this worked.
I'm not sure what that changes, or why it worked.  I'm happy, but perhaps we should add a comment to the online manual?
 [2020-02-07 10:43 UTC] cmb@php.net
-Status: Assigned +Status: Verified -Assigned To: cmb +Assigned To:
 [2020-02-07 10:43 UTC] cmb@php.net
Thanks for the confirmation.

It seems to me there should be some hint available why that regex
match failed; maybe just set the last PCRE error, so a user can
get information by calling preg_last_error() (what could be
regarded as BC break, though).
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Feb 24 12:01:25 2020 UTC