On Fri, Jun 26, 2026 at 5:38 PM Sjoerd Langkemper <[email protected]>
wrote:

> On Fri, Jun 26, 2026, at 14:42, Arnaud Le Blanc wrote:
>
> Can we deprecate the filter only in php://filter URLs, and not in the
> function-based filter API?
>
>
> Yes. this would be a practical solution that prevents misuse of dechunk in
> attacks, while still providing it for legitimate use. It is technically
> possible, but it won't be a pretty implementation. It would basically be
> `if (name==dechunk) raise_error()` in the code that parses the filter URL.
> It would break the consistency of the filter API.
>
>
Why can't you create a new version of php_stream_filter_create (e.g.
php_stream_filter_create_ex) where you could pass some flags indicating if
it comes from the url (php_stream_apply_filter_list)?Then filter itself
could make such decision (it would probably require changing
php_stream_filter_factory but that might be acceptable).

Kind regards,

Jakub

Reply via email to