Ilia Alshanetsky wrote:
On 23-Oct-06, at 4:48 AM, Stefan Esser wrote:
Hi,
I just wanted to remind you that PHP 5.2.0 will be released with broken
and inconsistent input filtering.
Right now _SERVER is only passed through the input filter for apache 1
SAPI. All other SAPIs do not pass _SERVER variables through the filter.
This will be a major headache for people using ext/filter etc...
In some SAPIs such as CLI it makes little sense to filter $_SERVER in
majority of cases. As a whole I do not believe $_SERVER in its entirety
needs to be filtered, given that at least 1/2 the data there is not
based on user-input. My suggestion is that people use filter_var()
function to filter components of the $_SERVER super-global that they are
using.
I had left out SERVER filtering in the initial version for much the same
reasoning, but it turns out that a good chunk of holes were due to the
fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying to
teach people which SERVER vars are safe and which aren't isn't a fun
task and the whole point of the filter extension is to take away the
guessing game.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
