[wp-testers] wordpress and php security

Brian Layman Brian at TheCodeCave.com
Sat Dec 23 06:45:25 GMT 2006

> Well, there's this...
> Someone should calculate the dollar value of all the time spent doing

> damage repair from things like magic_quotes_gpc, register_globals,  
> and now with PHP 5.2, the ext/filter system.

Nice.  "So, let's see if we can find another way to make PHP operate
differently on various servers."  

Two other corners of this incestuous love triangle:

Stefan article spoke of Pierre's post
ound-filter-dont-be-lazy-%3A) complaining about "persons[who] worked
around ext/filter with ugly hacks" and "horrible codes" that are "not
only plain stupid (to be polite) but laziness is the first cause of most
security flaws".  Good thing that Pierre edited the post "to say that
this post is not an attack against the Serendipity or flyspray
developers, I hope they don't feel offended".  Why in the world would
they feel offended?
(Pierre, btw, wrote the final version of the filter code according to
tml )

Christian's response (FlySpray's response) is at
ml "We feel the API is not very intuitive to use and may add signficant
complexity to the code, for no gain to the vast mayority of users."
Basicaly a "Better the enemy you know" argument.

With all of the different configrations available, I can sure understand
why they'd want to be in full control of the processing of the data.
Looking at the manual (http://www.php.net/filter) reveals that
"unsafe.raw" doesn't even pass in the raw code all the time. In php.ini
if you can still have filter.default set to "unsafe_raw" (or ommitted)
filter.default_flags to filter the data.  To me "RAW" indicates it would
"Do nothing" not "Do nothing, optionally strip or encode special

It's also unclear to me, though I guess easy to test, as to what happens
when "FILTER_FLAG_NO_ENCODE_QUOTES" is put into "filter.default_flags".
Does it do nothing because 
filter.default_flags applies only to the filter specified in
"filter.default" or are the flags specified in "filter.default_flags"
the defaults for ALL filters? 

I guess you need to handle encoded/nonencoded characters anyway, but it
sure would be nice to know that if you make a get call from your code,
that's the way it will look on the other side.

What a mess... I need to read this all again when I'm fresh and its not
the end of a long day...

Brian Layman 

More information about the wp-testers mailing list