FAQ
Hi!

As far as I can see, bug 39863 was fixed in 5.3, but the fix still not
in trunk/5.4.
Should we merge the same patch into trunk/5.4 or somebody is
volunteering to fix it, e.g. like described here:
http://news.php.net/php.internals/50191?
See also the about it discussion:
http://www.serverphorums.com/read.php?7,230402
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227

Search Discussions

  • Pierre Joye at Jun 5, 2011 at 10:15 am
    hi,

    Not apparently, it was not fixed in trunk.

    There was a discussion about using zend_arg for paths and additional
    function or macros to be used instead of duplicating the tests
    everywhere. But no consensus or agreement have been reached.

    Cheers,
    On Sun, Jun 5, 2011 at 10:25 AM, Stas Malyshev wrote:
    Hi!

    As far as I can see, bug 39863 was fixed in 5.3, but the fix still not in
    trunk/5.4.
    Should we merge the same patch into trunk/5.4 or somebody is volunteering to
    fix it, e.g. like described here: http://news.php.net/php.internals/50191?
    See also the about it discussion:
    http://www.serverphorums.com/read.php?7,230402
    --
    Stanislav Malyshev, Software Architect
    SugarCRM: http://www.sugarcrm.com/
    (408)454-6900 ext. 227

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php


    --
    Pierre

    @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
  • Felipe Pena at Jun 5, 2011 at 12:47 pm
    Hi,

    2011/6/5 Pierre Joye <pierre.php@gmail.com>
    hi,

    Not apparently, it was not fixed in trunk.

    There was a discussion about using zend_arg for paths and additional
    function or macros to be used instead of duplicating the tests
    everywhere. But no consensus or agreement have been reached.
    Should http://felipe.ath.cx/diff/parse_arg_null_path.diff be enough (beyond
    changing others function parse args, fixing the tests, include+require
    part)?

    $ sapi/cli/php -r 'fopen("a\0b", "r");'

    Warning: fopen() expects parameter 1 to be valid path, string given in
    Command line code on line 1


    Thanks.

    --
    Regards,
    Felipe Pena
  • Stas Malyshev at Jun 5, 2011 at 7:09 pm
    Hi!
    Should http://felipe.ath.cx/diff/parse_arg_null_path.diff be enough
    (beyond changing others function parse args, fixing the tests,
    include+require part)?

    $ sapi/cli/php -r 'fopen("a\0b", "r");'

    Warning: fopen() expects parameter 1 to be valid path, string given in
    Command line code on line 1
    This should be applied not only to fopen but to any function that does
    anything with filenames (and include/require/etc. also, I guess).

    --
    Stanislav Malyshev, Software Architect
    SugarCRM: http://www.sugarcrm.com/
    (408)454-6900 ext. 227
  • Felipe Pena at Jun 5, 2011 at 7:14 pm
    2011/6/5 Stas Malyshev <smalyshev@sugarcrm.com>
    Hi!


    Should http://felipe.ath.cx/diff/parse_arg_null_path.diff be enough
    (beyond changing others function parse args, fixing the tests,
    include+require part)?

    $ sapi/cli/php -r 'fopen("a\0b", "r");'

    Warning: fopen() expects parameter 1 to be valid path, string given in
    Command line code on line 1
    This should be applied not only to fopen but to any function that does
    anything with filenames (and include/require/etc. also, I guess).
    Of course, I was just checking if it's what you guys are thinking first.

    --
    Regards,
    Felipe Pena
  • Pierre Joye at Jun 5, 2011 at 7:18 pm

    On Sun, Jun 5, 2011 at 9:13 PM, Felipe Pena wrote:
    2011/6/5 Stas Malyshev <smalyshev@sugarcrm.com>
    Hi!
    Should http://felipe.ath.cx/diff/parse_arg_null_path.diff be enough
    (beyond changing others function parse args, fixing the tests,
    include+require part)?

    $ sapi/cli/php -r 'fopen("a\0b", "r");'

    Warning: fopen() expects parameter 1 to be valid path, string given in
    Command line code on line 1
    This should be applied not only to fopen but to any function that does
    anything with filenames (and include/require/etc. also, I guess).
    Of course, I was just checking if it's what you guys are thinking first.
    yes, that's the idea, to add a argument for zend_parse and a
    function/macro for other areas.

    Cheers,
  • Stas Malyshev at Jun 5, 2011 at 7:19 pm
    Hi!
    Of course, I was just checking if it's what you guys are thinking first.
    Well, there was basically two ideas:
    1. Add filename length to streams and check inside streams
    2. Check inside argument parser

    Both have downsides: (1) does not capture cases when we don't use
    streams (such as direct stat/touch/etc functions), (2) doesn't cover the
    case when stream is manipulated through a string not coming directly
    from a function argument (e.g. include, but may be other cases with
    extensions). So, ideally, it'd be nice to have both - or something third
    that I didn't think of - but any of them is better than nothing.
    (1) seems to be easier and less disruptive, provided that we cover
    include case separately and locate all functions that deal with filenames.
    --
    Stanislav Malyshev, Software Architect
    SugarCRM: http://www.sugarcrm.com/
    (408)454-6900 ext. 227
  • Felipe Pena at Jun 6, 2011 at 9:53 pm
    Hi,

    2011/6/5 Stas Malyshev <smalyshev@sugarcrm.com>
    Hi!


    Of course, I was just checking if it's what you guys are thinking first.
    Well, there was basically two ideas:
    1. Add filename length to streams and check inside streams
    2. Check inside argument parser

    Both have downsides: (1) does not capture cases when we don't use streams
    (such as direct stat/touch/etc functions), (2) doesn't cover the case when
    stream is manipulated through a string not coming directly from a function
    argument (e.g. include, but may be other cases with extensions). So,
    ideally, it'd be nice to have both - or something third that I didn't think
    of - but any of them is better than nothing.
    (1) seems to be easier and less disruptive, provided that we cover include
    case separately and locate all functions that deal with filenames.
    Ok, I've committed in 5.4 and trunk the argument parser part.

    Now I need to fix some tests and try to found other places needing for
    related checks.


    Thanks.

    --
    Regards,
    Felipe Pena
  • Stas Malyshev at Jun 6, 2011 at 10:49 pm
    Hi!
    Ok, I've committed in 5.4 and trunk the argument parser part.

    Now I need to fix some tests and try to found other places needing for
    related checks.
    Thanks for fixing it!

    --
    Stanislav Malyshev, Software Architect
    SugarCRM: http://www.sugarcrm.com/
    (408)454-6900 ext. 227

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-internals @
categoriesphp
postedJun 5, '11 at 8:25a
activeJun 6, '11 at 10:49p
posts9
users3
websitephp.net

People

Translate

site design / logo © 2022 Grokbase