ID: 42718 Updated by: [EMAIL PROTECTED] Reported By: arnaud dot lb at gmail dot com -Status: Closed +Status: Open Bug Type: Filter related Operating System: * PHP Version: 5CVS-2008-11-01 Assigned To: lbarnaud New Comment:
Reopening, this patch broke magic_quotes_gpc and has been backed out. Previous Comments: ------------------------------------------------------------------------ [2008-11-02 22:07:23] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2008-11-02 13:06:39] [EMAIL PROTECTED] Arnaud, fix it yourself. ------------------------------------------------------------------------ [2007-09-30 06:29:17] [EMAIL PROTECTED] Pierre, he is right, fix it. :) ------------------------------------------------------------------------ [2007-09-29 21:40:46] arnaud dot lb at gmail dot com Thanks for your reply. I'm trying to strip low ascii characters from GET/POST/COOKIE using the filter extension, and the only way to do that is to use the unsafe_raw filter with the FILTER_FLAG_STRIP_LOW flag. The string filter can do that with the FILTER_FLAG_STRIP_LOW flag, but it strips HTML tags too, and I don't want to strip HTML tags. >From the documentation, about the unsafe_raw filter: "Do nothing, optionally strip or encode special characters." It works as expected using filter_var() for example: filter_var("a <b> \000 c", FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW) => "a c" (the null char was striped, but the <b> tag too) filter_var("a <b> \000 c", FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW) => "a <b> c" (only the null char was striped) But it does not work as a default filter. The bug42718.phpt testcase demonstrates that. According to the documentation, I think that the unsafe_raw filter may not be bypassed when default_flags are != 0. This is the only change my patch do: - if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW)) { + if (!(IF_G(default_filter) == FILTER_UNSAFE_RAW) || IF_G(default_filter_flags) != 0) { ------------------------------------------------------------------------ [2007-09-29 20:04:23] [EMAIL PROTECTED] "The unsafe_raw filter does nothing by default, but it can "optionally strip or encode special characters", and it is the only filter which is able to do that without doing any other filtering." The string filter with the correct flags should work as you expected. It is normal that the unsafe_raw filter does nothing. What are you trying to achieve exactly? (ie using other filters but it did not work as you expect) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42718 -- Edit this bug report at http://bugs.php.net/?id=42718&edit=1
