Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:31152 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76437 invoked by uid 1010); 21 Jul 2007 19:57:35 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 76421 invoked from network); 21 Jul 2007 19:57:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jul 2007 19:57:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=mattias@secweb.se; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mattias@secweb.se; sender-id=unknown Received-SPF: error (pb1.pair.com: domain secweb.se from 209.59.210.219 cause and error) X-PHP-List-Original-Sender: mattias@secweb.se X-Host-Fingerprint: 209.59.210.219 swx.se Linux 2.6 Received: from [209.59.210.219] ([209.59.210.219:50922] helo=swx.se) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 36/60-05382-D2562A64 for ; Sat, 21 Jul 2007 15:57:35 -0400 Received: by swx.se (Postfix, from userid 1000) id 59CE23D15F3; Sat, 21 Jul 2007 21:57:31 +0200 (CEST) Date: Sat, 21 Jul 2007 21:57:31 +0200 To: internals@lists.php.net Message-ID: <20070721195731.GA29719@swx.se> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) Subject: [PATCH] str_pad allows pad_length to be negative From: mattias@secweb.se (Mattias Bengtsson) --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline As stated in the manual for str_pad() "If the value of pad_length is negative or less than the length of the input string, no padding takes place.". By using a very low negative value it is possible to bypass the check. Please see attachment. Cheers, Mattias Bengtsson --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="str_pad.patch.txt" Content-Transfer-Encoding: quoted-printable Index: ext/standard/string.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /repository/php-src/ext/standard/string.c,v retrieving revision 1.445.2.14.2.63 diff -u -a -r1.445.2.14.2.63 string.c --- ext/standard/string.c 6 Jun 2007 21:53:54 -0000 1.445.2.14.2.63 +++ ext/standard/string.c 21 Jul 2007 19:47:03 -0000 @@ -4741,7 +4741,7 @@ =20 /* If resulting string turns out to be shorter than input string, we simply copy the input and return. */ - if (num_pad_chars < 0) { + if (Z_LVAL_PP(pad_length) < 0 || num_pad_chars < 0) { RETURN_ZVAL(*input, 1, 0); } =20 Index: ext/standard/tests/strings/str_pad.phpt =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /repository/php-src/ext/standard/tests/strings/str_pad.phpt,v retrieving revision 1.1.2.4 diff -u -a -r1.1.2.4 str_pad.phpt --- ext/standard/tests/strings/str_pad.phpt 7 May 2007 22:30:16 -0000 1.1.2= =2E4 +++ ext/standard/tests/strings/str_pad.phpt 21 Jul 2007 19:47:03 -0000 @@ -30,6 +30,7 @@ ); /* different pad_lengths */ $pad_lengths =3D array( + -2147483648, // very low negative value -1, // negative value 0, // pad_length < sizeof(input_string) 9, // pad_length <=3D sizeof(input_string) @@ -101,6 +102,11 @@ string(9) "variation" string(9) "variation" string(9) "variation" +string(9) "variation" +string(9) "variation" +string(9) "variation" +string(9) "variation" +string(9) "variation" string(10) "variation " string(10) "variation=3D" string(10) "=3Dvariation" @@ -121,6 +127,11 @@ string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" +string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" +string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" +string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" +string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" +string(5) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" string(9) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD " string(9) "=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=3D=3D=3D=3D" string(9) "=3D=3D=3D=3D=00=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD" @@ -146,6 +157,11 @@ string(0) "" string(0) "" string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" string(9) " " string(9) "=3D=3D=3D=3D=3D=3D=3D=3D=3D" string(9) "=3D=3D=3D=3D=3D=3D=3D=3D=3D" @@ -171,6 +187,11 @@ string(0) "" string(0) "" string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" string(9) " " string(9) "=3D=3D=3D=3D=3D=3D=3D=3D=3D" string(9) "=3D=3D=3D=3D=3D=3D=3D=3D=3D" @@ -196,6 +217,11 @@ string(1) "1" string(1) "1" string(1) "1" +string(1) "1" +string(1) "1" +string(1) "1" +string(1) "1" +string(1) "1" string(9) "1 " string(9) "1=3D=3D=3D=3D=3D=3D=3D=3D" string(9) "=3D=3D=3D=3D=3D=3D=3D=3D1" @@ -221,6 +247,11 @@ string(2) "15" string(2) "15" string(2) "15" +string(2) "15" +string(2) "15" +string(2) "15" +string(2) "15" +string(2) "15" string(9) "15 " string(9) "15=3D=3D=3D=3D=3D=3D=3D" string(9) "=3D=3D=3D=3D=3D=3D=3D15" @@ -246,6 +277,11 @@ string(5) "15.55" string(5) "15.55" string(5) "15.55" +string(5) "15.55" +string(5) "15.55" +string(5) "15.55" +string(5) "15.55" +string(5) "15.55" string(9) "15.55 " string(9) "15.55=3D=3D=3D=3D" string(9) "=3D=3D=3D=3D15.55" @@ -271,6 +307,11 @@ string(4) "2990" string(4) "2990" string(4) "2990" +string(4) "2990" +string(4) "2990" +string(4) "2990" +string(4) "2990" +string(4) "2990" string(9) "2990 " string(9) "2990=3D=3D=3D=3D=3D" string(9) "=3D=3D=3D=3D=3D2990" --ZGiS0Q5IWpPtfppv--