FAQ
Seems like a good change +1.
On Sun, Dec 4, 2011 at 7:55 AM, Alan Knowles wrote:
This is ready for review now.

https://bugs.php.net/patch-display.php?bug=60362&patch=fix_disabling_bad_string_offsets&revision=1323002696

This resolves the worst behavior changes introduced by the dereferencing of
strings fix.
https://bugs.php.net/bug.php?id=60362

All tests (in Zend/tests) pass (after they have been modified to suit the
change)

Please review / comment...

Regards
Alan


On Sunday, December 04, 2011 12:08 AM, Alan Knowles wrote:

I've had a look at making string offsets of strings a bit saner.

At present with the fix for array dereferencing :  ?search=hello and a
test like isset($_GET['search']['name'])  results in true, which is has
potential security problems and is very confusing for any programmer finding
and working out why something like that may be failing.

To solve this quite a few people agreed that not allowing non-numeric
string offsets on strings would be the smart way to go, the change is going
to break BC, so the idea is to at least not break it too badly...

This patch is a start.

https://bugs.php.net/patch-display.php?bug_id=60362&patch=first_effort_to_fix_this&revision=latest

It's been quite a while since I hacked on the engine, so the patch only
works reasonably well.. (see the FIXME on the tests at the bottom of the
patch.)

The patch changes the following:
* $s = "string";  $s['offset'] -- produces a warning (and returns an
empty string)
* $s = "string";  $s['1'] -- works as before..
* $s = "string";  $s[true] $s[false] $s[0.1] -- give a notice (cast it to
an int if you want to get rid of the notice) - however work as before.
* changes the warning on invalid indexes to say "Uninitialized or
invalid" rather than just "Uninitialized"
* fixes most of the related tests

I would appreciate if someone with better engine knowledge would have  a
look and work out what the "BAD" usage should return.

In theory.. the fetch_dim behavior should be return a empty string if an
invalid offset is used, or uninitialized zval if ISSET is calling it

Regards
Alan

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 29 | next ›
Discussion Overview
groupphp-internals @
categoriesphp
postedDec 3, '11 at 4:08p
activeDec 21, '11 at 6:45p
posts29
users10
websitephp.net

People

Translate

site design / logo © 2019 Grokbase