Ticket #3093 (assigned defect (bug))

Opened 2 years ago

Last modified 6 months ago

WP should revert anything done by filter in newer PHP versions.

Reported by: masquerade Assigned to: markjaquith (accepted)
Priority: normal Milestone: 2.9
Component: Administration Version:
Severity: normal Keywords:
Cc:

Description

Just as we do with magic_quotes, we should check the default filter for the new filter extension that is enabled by default in PHP 5.2. The default filter is unsafe_raw, but hosts will quickly change it when they see "unsafe_raw" as a setting.

Change History

12/04/06 12:40:47 changed by markjaquith

  • milestone set to 2.2.

12/23/06 04:33:17 changed by markjaquith

  • owner changed from anonymous to markjaquith.
  • status changed from new to assigned.

Serendipity has this code to deal with ext/filter: 

if (extension_loaded('filter') && function_exists('input_name_to_filter') && input_name_to_filter(ini_get('filter.default')) !== FILTER_UNSAFE_RAW) {
    foreach ($_POST as $key => $value) {
        $_POST[$key] = input_get(INPUT_POST, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_GET as $key => $value) {
        $_GET[$key] = input_get(INPUT_GET, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_COOKIE as $key => $value) {
        $_COOKIE[$key] = input_get(INPUT_COOKIE, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_SESSION as $key => $value) {
        $_SESSION[$key] = input_get(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);
    }
}

if (extension_loaded('filter') && function_exists('filter_id') && filter_id(ini_get('filter.default')) !== FILTER_UNSAFE_RAW) {
    foreach ($_POST as $key => $value) {
        $_POST[$key] = filter_input(INPUT_POST, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_GET as $key => $value) {
        $_GET[$key] = filter_input(INPUT_GET, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_COOKIE as $key => $value) {
        $_COOKIE[$key] = filter_input(INPUT_COOKIE, $key, FILTER_UNSAFE_RAW);
    }
    foreach ($_SESSION as $key => $value) {
        $_SESSION[$key] = filter_input(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);
    }
}

It is BSD licensed (the 3-clause GPL-compatible version), so that snippet would have to include this line: 

Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)

I think the first block is for CVS versions of PHP... so we might be able to yank that and just use the second block which appears to be based on the final version.

Masquerade, you keep pretty close tabs on cutting edge PHP development... how does the above look to you?

12/23/06 05:37:53 changed by masquerade

Should work for now, although I wouldn't guarantee its future compatibility. There's been a whisper of talk of removing the superglobals altogether. No more GET POST SESSION COOKIE SERVER. This should work for now, though, and likely for another year or so to come.

03/27/07 22:34:43 changed by foolswisdom

  • milestone changed from 2.2 to 2.3.

08/17/07 00:00:01 changed by darkdragon

I doubt the legitimately, of the removal of Superglobals.

If you are going to check for filter extension, why not just use the functions instead, if they exist? It is a great extension and would be great usage for replacing the current filters in WordPress.

09/12/07 03:04:10 changed by ryan

  • milestone changed from 2.3 to 2.4 (next).

02/16/08 15:38:05 changed by westi

  • milestone changed from 2.5 to 2.6.

Moving to 2.6

2.5 Feature Frozen.

This will need lots of testing.

07/17/08 03:42:33 changed by jacobsantos

I propose a new WordPress filter library, which uses and standardizes the current filter code and tries to use the Filter extension if available, and falls back to PHP implementation if Filter library is not available.

07/17/08 03:43:22 changed by jacobsantos

I'll probably do this sometime in the Fall if no one else steps up and fixes this issue.