summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAndrew Clayton <a.clayton@nginx.com>2023-03-31 14:01:43 +0100
committerAndrew Clayton <a.clayton@nginx.com>2023-04-11 19:08:12 +0100
commitedbc43558d40768d91b378205c2d52bd7ba9d00a (patch)
tree7d44a6cf516507b011123cdbb641b922186a7857
parent028e537bef2d007ed8b1a02857cc8e569caeea57 (diff)
downloadunit-edbc43558d40768d91b378205c2d52bd7ba9d00a.tar.gz
unit-edbc43558d40768d91b378205c2d52bd7ba9d00a.tar.bz2
PHP: Make the filter_input() function work.
On GitHub, @jamesRUS52 reported that the PHP filter_input()[0] function would just return NULL. To enable this function we need to run the variables through the sapi_module.input_filter() function when we call php_register_variable_safe(). In PHP versions prior to 7.0.0, input_filter() takes 'len' as an unsigned int, while later versions take it as a size_t. Now, with this commit and the following PHP <?php var_dump(filter_input(INPUT_SERVER, 'REMOTE_ADDR')); var_dump(filter_input(INPUT_SERVER, 'REQUEST_URI')); var_dump(filter_input(INPUT_GET, 'get', FILTER_SANITIZE_SPECIAL_CHARS)); ?> you get $ curl 'http://localhost:8080/854.php?get=foo<>' string(3) "::1" string(18) "/854.php?get=foo<>" string(13) "foo&#60;&#62;" [0]: <https://www.php.net/manual/en/function.filter-input.php> Tested-by: <https://github.com/jamesRUS52> Closes: <https://github.com/nginx/unit/issues/854> Reviewed-by: Alejandro Colomar <alx@nginx.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
-rw-r--r--src/nxt_php_sapi.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/src/nxt_php_sapi.c b/src/nxt_php_sapi.c
index 32a13a70..ba000fc0 100644
--- a/src/nxt_php_sapi.c
+++ b/src/nxt_php_sapi.c
@@ -1532,14 +1532,23 @@ static void
nxt_php_set_sptr(nxt_unit_request_info_t *req, const char *name,
nxt_unit_sptr_t *v, uint32_t len, zval *track_vars_array TSRMLS_DC)
{
- char *str;
+ char *str;
+#if NXT_PHP7
+ size_t new_len;
+#else
+ unsigned int new_len;
+#endif
str = nxt_unit_sptr_get(v);
nxt_unit_req_debug(req, "php: register %s='%.*s'", name, (int) len, str);
- php_register_variable_safe((char *) name, str, len,
- track_vars_array TSRMLS_CC);
+ if (sapi_module.input_filter(PARSE_SERVER, (char *) name, &str, len,
+ &new_len TSRMLS_CC))
+ {
+ php_register_variable_safe((char *) name, str, new_len,
+ track_vars_array TSRMLS_CC);
+ }
}