[wp-testers] wordpress and php security
Brian Layman
Brian at TheCodeCave.com
Sat Dec 23 06:45:25 GMT 2006
> Well, there's this...
http://blog.php-security.org/archives/64-Why-extfilter.html
> Someone should calculate the dollar value of all the time spent doing
> damage repair from things like magic_quotes_gpc, register_globals,
> and now with PHP 5.2, the ext/filter system.
Nice. "So, let's see if we can find another way to make PHP operate
differently on various servers."
Two other corners of this incestuous love triangle:
Stefan article spoke of Pierre's post
(http://blog.thepimp.net/index.php/post/2006/12/21/how-to-do-not-work-ar
ound-filter-dont-be-lazy-%3A) complaining about "persons[who] worked
around ext/filter with ugly hacks" and "horrible codes" that are "not
only plain stupid (to be polite) but laziness is the first cause of most
security flaws". Good thing that Pierre edited the post "to say that
this post is not an attack against the Serendipity or flyspray
developers, I hope they don't feel offended". Why in the world would
they feel offended?
(Pierre, btw, wrote the final version of the filter code according to
http://ilia.ws/archives/131-Filter-Extension-Revamped-and-PHP-5.2-news.h
tml )
Christian's response (FlySpray's response) is at
http://blog.flyspray.org/archives/1-We-have-our-own-filters-Pierre-...ht
ml "We feel the API is not very intuitive to use and may add signficant
complexity to the code, for no gain to the vast mayority of users."
Basicaly a "Better the enemy you know" argument.
With all of the different configrations available, I can sure understand
why they'd want to be in full control of the processing of the data.
Looking at the manual (http://www.php.net/filter) reveals that
"unsafe.raw" doesn't even pass in the raw code all the time. In php.ini
if you can still have filter.default set to "unsafe_raw" (or ommitted)
but specify "FILTER_FLAG_STRIP_HIGH" or "FILTER_FLAG_ENCODE_AMP" in
filter.default_flags to filter the data. To me "RAW" indicates it would
"Do nothing" not "Do nothing, optionally strip or encode special
characters.".
It's also unclear to me, though I guess easy to test, as to what happens
when "FILTER_FLAG_NO_ENCODE_QUOTES" is put into "filter.default_flags".
Does it do nothing because
filter.default_flags applies only to the filter specified in
"filter.default" or are the flags specified in "filter.default_flags"
the defaults for ALL filters?
I guess you need to handle encoded/nonencoded characters anyway, but it
sure would be nice to know that if you make a get call from your code,
that's the way it will look on the other side.
What a mess... I need to read this all again when I'm fresh and its not
the end of a long day...
Cheers!
______________________________________________
Brian Layman
http://www.TheCodeCave.com
More information about the wp-testers
mailing list