On Fri, Jun 26, 2026 at 5:38 PM Sjoerd Langkemper <[email protected]> wrote:
> On Fri, Jun 26, 2026, at 14:42, Arnaud Le Blanc wrote: > > Can we deprecate the filter only in php://filter URLs, and not in the > function-based filter API? > > > Yes. this would be a practical solution that prevents misuse of dechunk in > attacks, while still providing it for legitimate use. It is technically > possible, but it won't be a pretty implementation. It would basically be > `if (name==dechunk) raise_error()` in the code that parses the filter URL. > It would break the consistency of the filter API. > > Why can't you create a new version of php_stream_filter_create (e.g. php_stream_filter_create_ex) where you could pass some flags indicating if it comes from the url (php_stream_apply_filter_list)?Then filter itself could make such decision (it would probably require changing php_stream_filter_factory but that might be acceptable). Kind regards, Jakub
