php 5.2.1 PHP_SELF is safe now?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

php 5.2.1 PHP_SELF is safe now?

Post by jmut »

Hi folks,

Decided to spend some time to day just to read latest php changelog.

http://www.php.net/ChangeLog-5.php#5.2.1

There is line saying
"Make sure PHP_SELF is filtered in Apache 1 sapi."

Maybe I am wrong but does that mean that with apache 1 and php 5 'PHP_SELF' server variable is now save?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Filtered how?
Safe for doing what?

PHP_SELF contains user-controlled data and should always be treated as user input.

The change in the log probably refers to some internal "filtering", meaning nothing was changed when looked from the outside.

Edit: Wait, it looks like it is about a change in the "Filter Extension", meaning this: http://pecl.php.net/package/filter
So this only affects you if you use this extension.

Strange, as I go over the API, I don't see a possibility of not filtering PHP_SELF, as you always specify the input array AND the index in it:

Code: Select all

$foo = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_SPECIAL_CHARS);
Post Reply