Make WordPress Core

Opened 18 years ago

Closed 14 years ago

#3093 closed defect (bug) (invalid)

WP should revert anything done by filter in newer PHP versions.

Reported by: masquerade's profile masquerade Owned by: markjaquith's profile markjaquith
Milestone: Priority: normal
Severity: normal Version:
Component: Administration Keywords: 2nd-opinion
Focuses: Cc:

Description

Just as we do with magic_quotes, we should check the default filter for the new filter extension that is enabled by default in PHP 5.2. The default filter is unsafe_raw, but hosts will quickly change it when they see "unsafe_raw" as a setting.

Change History (14)

#1 @markjaquith
17 years ago

  • Milestone set to 2.2

#2 @markjaquith
17 years ago

  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

Serendipity has this code to deal with ext/filter:

if (extension_loaded('filter') && function_exists('input_name_to_filter') && input_name_to_filter(ini_get('filter.default')) !== FILTER_UNSAFE_RAW) {
    foreach ($_POST as $key => $value) {
        $_POST[$key] = input_get(INPUT_POST, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_GET as $key => $value) {
        $_GET[$key] = input_get(INPUT_GET, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_COOKIE as $key => $value) {
        $_COOKIE[$key] = input_get(INPUT_COOKIE, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_SESSION as $key => $value) {
        $_SESSION[$key] = input_get(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);
    }
}

if (extension_loaded('filter') && function_exists('filter_id') && filter_id(ini_get('filter.default')) !== FILTER_UNSAFE_RAW) {
    foreach ($_POST as $key => $value) {
        $_POST[$key] = filter_input(INPUT_POST, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_GET as $key => $value) {
        $_GET[$key] = filter_input(INPUT_GET, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_COOKIE as $key => $value) {
        $_COOKIE[$key] = filter_input(INPUT_COOKIE, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_SESSION as $key => $value) {
        $_SESSION[$key] = filter_input(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);
    }
}

It is BSD licensed (the 3-clause GPL-compatible version), so that snippet would have to include this line:

Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)

I think the first block is for CVS versions of PHP... so we might be able to yank that and just use the second block which appears to be based on the final version.

Masquerade, you keep pretty close tabs on cutting edge PHP development... how does the above look to you?

#3 @masquerade
17 years ago

Should work for now, although I wouldn't guarantee its future compatibility. There's been a whisper of talk of removing the superglobals altogether. No more GET POST SESSION COOKIE SERVER. This should work for now, though, and likely for another year or so to come.

#4 @foolswisdom
17 years ago

  • Milestone changed from 2.2 to 2.3

#5 @darkdragon
17 years ago

I doubt the legitimately, of the removal of Superglobals.

If you are going to check for filter extension, why not just use the functions instead, if they exist? It is a great extension and would be great usage for replacing the current filters in WordPress.

#6 @ryan
17 years ago

  • Milestone changed from 2.3 to 2.4 (next)

#7 @westi
16 years ago

  • Milestone changed from 2.5 to 2.6

Moving to 2.6

2.5 Feature Frozen.

This will need lots of testing.

#8 @jacobsantos
16 years ago

I propose a new WordPress filter library, which uses and standardizes the current filter code and tries to use the Filter extension if available, and falls back to PHP implementation if Filter library is not available.

#9 @jacobsantos
16 years ago

I'll probably do this sometime in the Fall if no one else steps up and fixes this issue.

#10 @Denis-de-Bernardy
15 years ago

trouble with a filter library meant to replace that of php is, if php doesn't fix a security hole in their own library (as happens on occasion) or if hosts don't upgrade php (as happens very frequently), then you leave security holes behind that you cannot easily fix.

#11 @Denis-de-Bernardy
15 years ago

was meant: trouble with a filter library meant to map that of php

#12 @hakre
15 years ago

  • Keywords reporter-feedback 2nd-opinion added

It is not possible to revert all filters (because of data loss while filtering), so this report is actually invalid. I suggest to have this closed as invalid.

#13 @scribu
15 years ago

  • Keywords reporter-feedback removed

#14 @ryan
14 years ago

  • Milestone 2.9 deleted
  • Resolution set to invalid
  • Status changed from accepted to closed
Note: See TracTickets for help on using tickets.