PHP: Make the filter_input() function work.

On GitHub, @jamesRUS52 reported that the PHP filter_input()[0] function would just return NULL. To enable this function we need to run the variables through the sapi_module.input_filter() function when we call php_register_variable_safe(). In PHP versions prior to 7.0.0, input_filter() takes 'len' as an unsigned int, while later versions take it as a size_t. Now, with this commit and the following PHP <?php var_dump(filter_input(INPUT_SERVER, 'REMOTE_ADDR')); var_dump(filter_input(INPUT_SERVER, 'REQUEST_URI')); var_dump(filter_input(INPUT_GET, 'get', FILTER_SANITIZE_SPECIAL_CHARS)); ?> you get $ curl 'http://localhost:8080/854.php?get=foo<>' string(3) "::1" string(18) "/854.php?get=foo<>" string(13) "foo<>" [0]: <https://www.php.net/manual/en/function.filter-input.php> Tested-by: <https://github.com/jamesRUS52> Closes: <https://github.com/nginx/unit/issues/854> Reviewed-by: Alejandro Colomar <alx@nginx.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2023-03-31 14:01:43 +01:00
parent 028e537bef
commit edbc43558d
1 changed files with 12 additions and 3 deletions
--- a/src/nxt_php_sapi.c
+++ b/src/nxt_php_sapi.c
@@ -1533,13 +1533,22 @@ nxt_php_set_sptr(nxt_unit_request_info_t *req, const char *name,
    nxt_unit_sptr_t *v, uint32_t len, zval *track_vars_array TSRMLS_DC)
 {
    char          *str;
+#if NXT_PHP7
+    size_t        new_len;
+#else
+    unsigned int  new_len;
+#endif

    str = nxt_unit_sptr_get(v);

    nxt_unit_req_debug(req, "php: register %s='%.*s'", name, (int) len, str);

-    php_register_variable_safe((char *) name, str, len,
+    if (sapi_module.input_filter(PARSE_SERVER, (char *) name, &str, len,
+                                 &new_len TSRMLS_CC))
+    {
+        php_register_variable_safe((char *) name, str, new_len,
                                   track_vars_array TSRMLS_CC);
+    }
 }