From: Rasmus Lerdorf Date: Wed, 31 Mar 2010 22:59:09 +0000 (+0000) Subject: full_special_chars filter from trunk - approved by johannes X-Git-Tag: php-5.3.3RC1~357 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a5b5743d71fbd5ae944469a1ca443a1cdb30663a;p=php full_special_chars filter from trunk - approved by johannes --- diff --git a/NEWS b/NEWS index 0f773ee239..8018b0aa53 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,7 @@ PHP NEWS - Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas) +- Added full_special_chars filter to ext/filter (Rasmus) - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) diff --git a/ext/filter/filter.c b/ext/filter/filter.c index e417e5d9d8..2ffe70499b 100644 --- a/ext/filter/filter.c +++ b/ext/filter/filter.c @@ -52,6 +52,7 @@ static const filter_list_entry filter_list[] = { { "stripped", FILTER_SANITIZE_STRING, php_filter_string }, { "encoded", FILTER_SANITIZE_ENCODED, php_filter_encoded }, { "special_chars", FILTER_SANITIZE_SPECIAL_CHARS, php_filter_special_chars }, + { "full_special_chars", FILTER_SANITIZE_FULL_SPECIAL_CHARS, php_filter_full_special_chars }, { "unsafe_raw", FILTER_UNSAFE_RAW, php_filter_unsafe_raw }, { "email", FILTER_SANITIZE_EMAIL, php_filter_email }, { "url", FILTER_SANITIZE_URL, php_filter_url }, @@ -238,6 +239,7 @@ PHP_MINIT_FUNCTION(filter) REGISTER_LONG_CONSTANT("FILTER_SANITIZE_STRIPPED", FILTER_SANITIZE_STRING, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_ENCODED", FILTER_SANITIZE_ENCODED, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_SPECIAL_CHARS", FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FILTER_SANITIZE_FULL_SPECIAL_CHARS", FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_EMAIL", FILTER_SANITIZE_EMAIL, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_URL", FILTER_SANITIZE_URL, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_NUMBER_INT", FILTER_SANITIZE_NUMBER_INT, CONST_CS | CONST_PERSISTENT); diff --git a/ext/filter/filter_private.h b/ext/filter/filter_private.h index aaecbdc28e..249319637f 100644 --- a/ext/filter/filter_private.h +++ b/ext/filter/filter_private.h @@ -78,7 +78,8 @@ #define FILTER_SANITIZE_NUMBER_INT 0x0207 #define FILTER_SANITIZE_NUMBER_FLOAT 0x0208 #define FILTER_SANITIZE_MAGIC_QUOTES 0x0209 -#define FILTER_SANITIZE_LAST 0x0209 +#define FILTER_SANITIZE_FULL_SPECIAL_CHARS 0x020a +#define FILTER_SANITIZE_LAST 0x020a #define FILTER_SANITIZE_ALL 0x0200 diff --git a/ext/filter/php_filter.h b/ext/filter/php_filter.h index 1779e45521..d625b625cf 100644 --- a/ext/filter/php_filter.h +++ b/ext/filter/php_filter.h @@ -28,6 +28,7 @@ #include "php_ini.h" #include "ext/standard/info.h" #include "ext/standard/php_string.h" +#include "ext/standard/html.h" #include "php_variables.h" extern zend_module_entry filter_module_entry; @@ -81,6 +82,7 @@ void php_filter_validate_ip(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL); +void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_email(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_url(PHP_INPUT_FILTER_PARAM_DECL); diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c index e610d1faa7..c44d7a8e55 100644 --- a/ext/filter/sanitizing_filters.c +++ b/ext/filter/sanitizing_filters.c @@ -242,6 +242,24 @@ void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL) } /* }}} */ +/* {{{ php_filter_full_special_chars */ +void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL) +{ + char *buf; + int len, quotes; + + if (!(flags & FILTER_FLAG_NO_ENCODE_QUOTES)) { + quotes = ENT_QUOTES; + } else { + quotes = ENT_NOQUOTES; + } + buf = php_escape_html_entities_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), &len, 1, quotes, SG(default_charset), 0 TSRMLS_CC); + efree(Z_STRVAL_P(value)); + Z_STRVAL_P(value) = buf; + Z_STRLEN_P(value) = len; +} +/* }}} */ + /* {{{ php_filter_unsafe_raw */ void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL) { @@ -266,6 +284,8 @@ void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL) } /* }}} */ + + /* {{{ php_filter_email */ #define SAFE "$-_.+" #define EXTRA "!*'(),"