Debian Bug report logs - #730094
[php5-cgi] filter-input not working with INPUT_SERVER

version graph

Package: php5-cgi; Maintainer for php5-cgi is (unknown);

Reported by: Christoph Mühlmann <christoph@nagnag.de>

Date: Thu, 21 Nov 2013 10:00:07 UTC

Severity: normal

Found in version php5/5.4.4-14+deb7u5

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#730094; Package php5-cgi. (Thu, 21 Nov 2013 10:00:11 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Mühlmann <christoph@nagnag.de>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 21 Nov 2013 10:00:11 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christoph Mühlmann <christoph@nagnag.de>
To: submit@bugs.debian.org
Subject: [php5-cgi] filter-input not working with INPUT_SERVER
Date: Thu, 21 Nov 2013 10:53:26 +0100
Package: php5-cgi
Version: 5.4.4-14+deb7u5
Severity: normal

--- Please enter the report below this line. ---
Dear Maintainer,

when using the filter_input function from php5-cgi with INPUT_SERVER,
the return value == false always.
This doesn't depend on the used filter (unsafe-raw in the following
example) or Variable (server-name).

    $input = filter_input(INPUT_SERVER, "SERVER_NAME",
FILTER_UNSAFE_RAW, FILTER_NULL_ON_FAILURE);
    var_dump($input);
    var_dump($_SERVER["SERVER_NAME"]);

output:
    boolean false
    string 'localhost' (length=9)

there are some similar bug reports on bugs.php.net:
- https://bugs.php.net/bug.php?id=44779 (closed & fixed)
- https://bugs.php.net/bug.php?id=49184 (verified)

With INPUT_ENV, a similar behaviour seems to occur (I found some reports
about that, but did not check this by myself)

a possible example for a workaround is:

    if (filter_has_var(INPUT_SERVER, "SERVER_NAME")) {
        $servername = filter_input(INPUT_SERVER, "SERVER_NAME",
FILTER_UNSAFE_RAW, FILTER_NULL_ON_FAILURE);
    } else {
        if (isset($_SERVER["SERVER_NAME"]))
            $servername = filter_var($_SERVER["SERVER_NAME"],
FILTER_UNSAFE_RAW, FILTER_NULL_ON_FAILURE);
        else
            $servername = null;
    }

output:
    string 'localhost' (length=9)


with regards,

Christoph


--- System information. ---
Architecture: amd64
Kernel: Linux 3.10-0.bpo.3-amd64

Debian Release: 7.2
500 wheezy-backports mozilla.debian.net
500 stable www.deb-multimedia.org
500 stable repo.wuala.com
500 stable qgis.org
500 stable dl.google.com
500 stable debian.mirror.lrz.de
500 proposed-updates debian.mirror.lrz.de
100 wheezy-backports debian.mirror.lrz.de

--- Package information. ---
Depends (Version) | Installed
========================================-+-====================
libbz2-1.0 | 1.0.6-4
libc6 (>= 2.11) |
libcomerr2 (>= 1.01) |
libdb5.1 |
libgssapi-krb5-2 (>= 1.6.dfsg.2) |
libk5crypto3 (>= 1.6.dfsg.2) |
libkrb5-3 (>= 1.6.dfsg.2) |
libonig2 (>= 5.2.0) |
libpcre3 (>= 8.10) |
libqdbm14 (>= 1.8.74) |
libssl1.0.0 (>= 1.0.0) |
libxml2 (>= 2.8.0) |
zlib1g (>= 1:1.1.4) |
mime-support |
php5-common (= 5.4.4-14+deb7u5) |
libmagic1 |
ucf |
tzdata |


Package's Recommends field is empty.

Suggests (Version) | Installed
=======================-+-===========
php-pear | 5.4.4-14+deb7u5

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Wed, 27 Jan 2016 11:45:16 GMT) (full text, mbox, link).

Notification sent to Christoph Mühlmann <christoph@nagnag.de>:
Bug acknowledged by developer. (Wed, 27 Jan 2016 11:45:16 GMT) (full text, mbox, link).

Message #10 received at 730094-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 730094-done@bugs.debian.org, 737688-done@bugs.debian.org, 759698-done@bugs.debian.org, 766972-done@bugs.debian.org
Subject: Closing the non-security bugs against PHP in Debian wheezy (old-stable)
Date: Wed, 27 Jan 2016 12:42:34 +0100
Version: php5/5.6.0+dfsg-1

Feel free to reopen the bugs, if you can reproduce those against current
Debian stable PHP version (5.6.17+).

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 25 Feb 2016 07:37:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:45:19 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.