From 22be806eba5dec218ec145123604376f6a5ad695 Mon Sep 17 00:00:00 2001 From: Robert Landers Date: Wed, 18 Jun 2025 18:36:13 +0200 Subject: [PATCH 1/6] fix #1657 --- frankenphp.c | 8 ++++---- frankenphp_test.go | 17 +++++++++++++++++ testdata/filter.php | 6 ++++++ 3 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 testdata/filter.php diff --git a/frankenphp.c b/frankenphp.c index a9cd534dc5..77c5cbc3ee 100644 --- a/frankenphp.c +++ b/frankenphp.c @@ -613,9 +613,9 @@ void frankenphp_register_trusted_var(zend_string *z_key, char *value, } size_t new_val_len = val_len; - if (!should_filter_var || + if ((should_filter_var && sapi_module.input_filter(PARSE_SERVER, ZSTR_VAL(z_key), &value, - new_val_len, &new_val_len)) { + new_val_len, &new_val_len)) || !should_filter_var) { zval z_value; ZVAL_STRINGL_FAST(&z_value, value, new_val_len); zend_hash_update_ind(ht, z_key, &z_value); @@ -743,9 +743,9 @@ void frankenphp_register_variable_safe(char *key, char *val, size_t val_len, val = ""; } size_t new_val_len = val_len; - if (!should_filter_var || + if ((should_filter_var && sapi_module.input_filter(PARSE_SERVER, key, &val, new_val_len, - &new_val_len)) { + &new_val_len)) || !should_filter_var) { php_register_variable_safe(key, val, new_val_len, track_vars_array); } } diff --git a/frankenphp_test.go b/frankenphp_test.go index 2df44ebfc5..89b187cd51 100644 --- a/frankenphp_test.go +++ b/frankenphp_test.go @@ -286,6 +286,23 @@ func testInput(t *testing.T, opts *testOptions) { }, opts) } +func TestFilterInput_module(t *testing.T) { testFilterInput(t, nil) } +func TestFilterInput_worker(t *testing.T) { + testFilterInput(t, &testOptions{workerScript: "filter.php"}) +} +func testFilterInput(t *testing.T, opts *testOptions) { + runTest(t, func(handler func(http.ResponseWriter, *http.Request), _ *httptest.Server, i int) { + req := httptest.NewRequest("GET", "http://example.com/filter.php", nil) + w := httptest.NewRecorder() + handler(w, req) + + resp := w.Result() + body, _ := io.ReadAll(resp.Body) + + assert.Equal(t, "GET", string(body)) + }, opts) +} + func TestPostSuperGlobals_module(t *testing.T) { testPostSuperGlobals(t, nil) } func TestPostSuperGlobals_worker(t *testing.T) { testPostSuperGlobals(t, &testOptions{workerScript: "super-globals.php"}) diff --git a/testdata/filter.php b/testdata/filter.php new file mode 100644 index 0000000000..5c1144d710 --- /dev/null +++ b/testdata/filter.php @@ -0,0 +1,6 @@ + Date: Wed, 18 Jun 2025 18:43:25 +0200 Subject: [PATCH 2/6] fix lint --- frankenphp.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/frankenphp.c b/frankenphp.c index 77c5cbc3ee..c68fdbd05c 100644 --- a/frankenphp.c +++ b/frankenphp.c @@ -614,8 +614,9 @@ void frankenphp_register_trusted_var(zend_string *z_key, char *value, size_t new_val_len = val_len; if ((should_filter_var && - sapi_module.input_filter(PARSE_SERVER, ZSTR_VAL(z_key), &value, - new_val_len, &new_val_len)) || !should_filter_var) { + sapi_module.input_filter(PARSE_SERVER, ZSTR_VAL(z_key), &value, + new_val_len, &new_val_len)) || + !should_filter_var) { zval z_value; ZVAL_STRINGL_FAST(&z_value, value, new_val_len); zend_hash_update_ind(ht, z_key, &z_value); @@ -744,8 +745,9 @@ void frankenphp_register_variable_safe(char *key, char *val, size_t val_len, } size_t new_val_len = val_len; if ((should_filter_var && - sapi_module.input_filter(PARSE_SERVER, key, &val, new_val_len, - &new_val_len)) || !should_filter_var) { + sapi_module.input_filter(PARSE_SERVER, key, &val, new_val_len, + &new_val_len)) || + !should_filter_var) { php_register_variable_safe(key, val, new_val_len, track_vars_array); } } From a31c7b23eaf4e6c60f01d972fc823a7fe85fd299 Mon Sep 17 00:00:00 2001 From: Robert Landers Date: Wed, 18 Jun 2025 18:55:27 +0200 Subject: [PATCH 3/6] set a default filter option --- frankenphp_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/frankenphp_test.go b/frankenphp_test.go index 89b187cd51..619b97cf58 100644 --- a/frankenphp_test.go +++ b/frankenphp_test.go @@ -291,6 +291,12 @@ func TestFilterInput_worker(t *testing.T) { testFilterInput(t, &testOptions{workerScript: "filter.php"}) } func testFilterInput(t *testing.T, opts *testOptions) { + if opts == nil { + opts = &testOptions{} + } + opts.initOpts = append(opts.initOpts, frankenphp.WithPhpIni(map[string]string{ + "filter.default": "string.tolower", + })) runTest(t, func(handler func(http.ResponseWriter, *http.Request), _ *httptest.Server, i int) { req := httptest.NewRequest("GET", "http://example.com/filter.php", nil) w := httptest.NewRecorder() From edb49a6d5d6b797877001446560b304aa4ea6554 Mon Sep 17 00:00:00 2001 From: Robert Landers Date: Sat, 21 Jun 2025 14:01:59 +0200 Subject: [PATCH 4/6] add test for _SERVER check on filter_input --- frankenphp.c | 19 ++++--------------- frankenphp_test.go | 23 ++++++++++++++++++++--- 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/frankenphp.c b/frankenphp.c index c68fdbd05c..6592852dda 100644 --- a/frankenphp.c +++ b/frankenphp.c @@ -63,7 +63,6 @@ frankenphp_config frankenphp_get_config() { }; } -bool should_filter_var = 0; __thread uintptr_t thread_index; __thread bool is_worker_thread = false; __thread zval *os_environment = NULL; @@ -613,10 +612,8 @@ void frankenphp_register_trusted_var(zend_string *z_key, char *value, } size_t new_val_len = val_len; - if ((should_filter_var && - sapi_module.input_filter(PARSE_SERVER, ZSTR_VAL(z_key), &value, - new_val_len, &new_val_len)) || - !should_filter_var) { + if (sapi_module.input_filter(PARSE_SERVER, ZSTR_VAL(z_key), &value, + new_val_len, &new_val_len)) { zval z_value; ZVAL_STRINGL_FAST(&z_value, value, new_val_len); zend_hash_update_ind(ht, z_key, &z_value); @@ -744,10 +741,8 @@ void frankenphp_register_variable_safe(char *key, char *val, size_t val_len, val = ""; } size_t new_val_len = val_len; - if ((should_filter_var && - sapi_module.input_filter(PARSE_SERVER, key, &val, new_val_len, - &new_val_len)) || - !should_filter_var) { + if (sapi_module.input_filter(PARSE_SERVER, key, &val, new_val_len, + &new_val_len)) { php_register_variable_safe(key, val, new_val_len, track_vars_array); } } @@ -918,12 +913,6 @@ static void *php_main(void *arg) { frankenphp_sapi_module.startup(&frankenphp_sapi_module); - /* check if a default filter is set in php.ini and only filter if - * it is, this is deprecated and will be removed in PHP 9 */ - char *default_filter; - cfg_get_string("filter.default", &default_filter); - should_filter_var = default_filter != NULL; - go_frankenphp_main_thread_is_ready(); /* channel closed, shutdown gracefully */ diff --git a/frankenphp_test.go b/frankenphp_test.go index 619b97cf58..ee620b7a1a 100644 --- a/frankenphp_test.go +++ b/frankenphp_test.go @@ -286,11 +286,11 @@ func testInput(t *testing.T, opts *testOptions) { }, opts) } -func TestFilterInput_module(t *testing.T) { testFilterInput(t, nil) } -func TestFilterInput_worker(t *testing.T) { +func TestFilterInputDefault_module(t *testing.T) { testFilterInput(t, nil) } +func TestFilterInputDefault_worker(t *testing.T) { testFilterInput(t, &testOptions{workerScript: "filter.php"}) } -func testFilterInput(t *testing.T, opts *testOptions) { +func testFilterInputDefault(t *testing.T, opts *testOptions) { if opts == nil { opts = &testOptions{} } @@ -309,6 +309,23 @@ func testFilterInput(t *testing.T, opts *testOptions) { }, opts) } +func TestFilterInput_module(t *testing.T) { testFilterInput(t, nil) } +func TestFilterInput_worker(t *testing.T) { + testFilterInput(t, &testOptions{workerScript: "filter.php"}) +} +func testFilterInput(t *testing.T, opts *testOptions) { + runTest(t, func(handler func(http.ResponseWriter, *http.Request), _ *httptest.Server, i int) { + req := httptest.NewRequest("GET", "http://example.com/filter.php", nil) + w := httptest.NewRecorder() + handler(w, req) + + resp := w.Result() + body, _ := io.ReadAll(resp.Body) + + assert.Equal(t, "GET", string(body)) + }, opts) +} + func TestPostSuperGlobals_module(t *testing.T) { testPostSuperGlobals(t, nil) } func TestPostSuperGlobals_worker(t *testing.T) { testPostSuperGlobals(t, &testOptions{workerScript: "super-globals.php"}) From 0e0fb53b444d5a5ce2d134ed2293b0eb5560756a Mon Sep 17 00:00:00 2001 From: Robert Landers Date: Sat, 21 Jun 2025 14:09:11 +0200 Subject: [PATCH 5/6] fix typo --- frankenphp_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/frankenphp_test.go b/frankenphp_test.go index ee620b7a1a..54c7043305 100644 --- a/frankenphp_test.go +++ b/frankenphp_test.go @@ -286,9 +286,9 @@ func testInput(t *testing.T, opts *testOptions) { }, opts) } -func TestFilterInputDefault_module(t *testing.T) { testFilterInput(t, nil) } +func TestFilterInputDefault_module(t *testing.T) { testFilterInputDefault(t, nil) } func TestFilterInputDefault_worker(t *testing.T) { - testFilterInput(t, &testOptions{workerScript: "filter.php"}) + testFilterInputDefault(t, &testOptions{workerScript: "filter.php"}) } func testFilterInputDefault(t *testing.T, opts *testOptions) { if opts == nil { From bd1ec5f89aa6c649fae16d1974caebaa10b07ad8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Fri, 27 Jun 2025 14:48:37 +0200 Subject: [PATCH 6/6] Update testdata/filter.php --- testdata/filter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testdata/filter.php b/testdata/filter.php index 5c1144d710..b8e1d41701 100644 --- a/testdata/filter.php +++ b/testdata/filter.php @@ -3,4 +3,4 @@ return function () { echo strtoupper(filter_input(INPUT_SERVER, "REQUEST_METHOD", FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH) ?? ""); -}; \ No newline at end of file +};