Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50203
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19378 invoked from network); 15 Nov 2010 14:00:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Nov 2010 14:00:27 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=bad
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.42 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.161.42 mail-fx0-f42.google.com  
Received: from [209.85.161.42] ([209.85.161.42:42884] helo=mail-fx0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 65/40-16614-8FC31EC4 for <internals@lists.php.net>; Mon, 15 Nov 2010 09:00:25 -0500
Received: by fxm13 with SMTP id 13so1276486fxm.29
        for <internals@lists.php.net>; Mon, 15 Nov 2010 06:00:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:in-reply-to
         :references:date:message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=ErbKY1Td7NKsakGFRa4hxBQLBS5Ig4fyqKwtJTyRgpo=;
        b=cT5PbvUuZLQGpoROhFxrCr5g+vwLkJB7xIzs0fPoaktnjWs0j4dzDdBEoWjOx2pbjl
         yne+OdzZJ53OVeu5A520UPyRjV7Ts4Ypse1h2MVxwADgi1B5wPktgvTVqG95YouPXxZo
         ivB6qcLK4V27kiBjp2I1kaipzse09anyvWL1Q=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        b=MNfneknzTbPgOM4tyqrxQGlrH2pfkHjYYeP8iy7Iv/eQnaKdZ6oCOfaqg5kZ4Ks4t5
         qUSgXWauQZsMgVOw+4xOeAf2iQfanEtQQNcUObh5ifFT5pRhT0crKMlOGSZHOJFvhnCz
         uTZXippsh2Hcg+S35R3PJuU9LxzmtraCf7hfc=
MIME-Version: 1.0
Received: by 10.223.101.140 with SMTP id c12mr2830290fao.16.1289829621531;
 Mon, 15 Nov 2010 06:00:21 -0800 (PST)
Received: by 10.223.96.7 with HTTP; Mon, 15 Nov 2010 06:00:21 -0800 (PST)
In-Reply-To: <4CE10E8E.3070901@lerdorf.com>
References: <4CE03E41.9030805@lerdorf.com>
	<8757232E56758B42B2EE4F9D2CA019C9086B69@US-EX2.zend.net>
	<4CE10E8E.3070901@lerdorf.com>
Date: Mon, 15 Nov 2010 15:00:21 +0100
Message-ID: <AANLkTi=Dvf8tM8hNkxPMVgzAd=uskVkoNYqLY1=qO-7s@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Andi Gutmans <andi@zend.com>, internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Adding path_len to all stream functions in trunk
From: pierre.php@gmail.com (Pierre Joye)

hi Rasmus,

Thanks for the patch! It is great for 5.3 (this problem has been an
issue for too long already).

However I would like to change the APIs in trunk accordingly to avoid
to have checks in every single place where path are used, and indeed
to avoid to have bugs in new codes. In short, it should be done inside
the respective functions.

NB: by APIs, I mean stream, Zend, TSRM and ext/standard (for the APIs
usable by PHP's extensions).

Cheers,

On Mon, Nov 15, 2010 at 11:42 AM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote=
:
> Ok, I went through all the 5.3 code. =A0This should fix the null poisonin=
g
> problems in 5.3 without breaking binary compatibility:
>
> http://progphp.com/nullpatch.txt
>
> There are quite a few places where we can't solve it centrally, so
> perhaps we need to take the same approach in trunk.
>
> This should take care of every issue mentioned here:
>
> http://www.madirish.net/?article=3D436
>
> along with a number of bug reports.
>
> I think the only outstanding issue with the patch is whether to show an
> error message when we hit a null in a filesystem path string. =A0With the
> Zend part of the patch, right now the error is slightly misleading for
> code like this:
>
> $file =3D "foo.php\0";
> include $file . ".png";
>
> This will output:
>
> PHP Warning: =A0include(): Failed opening 'foo.php' for inclusion
> (include_path=3D'.:') in foo on line 3
>
> Without this patch, this code will of course simply include the foo.php
> file and ignore the .png extension.
>
> -Rasmus
>
> On 11/14/10 9:35 PM, Andi Gutmans wrote:
>> Hi Rasmus,
>>
>> Hope I understood the problem correctly. If not, this answer won't make =
sense :)
>> I do not see a major problem in passing path_len but wonder how much it'=
d actually solve as we end up calling OS APIs that do not accept path_len, =
no? I assume we don't want to start searching all these strings for invalid=
 chars before we pass them to the OS.
>>
>> Andi
>>
>>> -----Original Message-----
>>> From: Rasmus Lerdorf [mailto:rasmus@lerdorf.com]
>>> Sent: Sunday, November 14, 2010 11:54 AM
>>> To: internals
>>> Subject: [PHP-DEV] Adding path_len to all stream functions in trunk
>>>
>>> I think we need to pass along the string length to all the stream funct=
ions to
>>> maintain binary string safety through this code. =A0This would fix anno=
ying
>>> problems like http://bugs.php.net/39863 and a bunch of similar issues.
>>> Obviously not something we can do in 5.3 without breaking binary compat=
ibility
>>> though. =A0Although we might be able to do something if we assume only =
chars
>>> valid in the current charset is valid in file paths.
>>>
>>> Anybody have any other thoughts on this one?
>>>
>>> -Rasmus
>>>
>>> --
>>> PHP Internals - PHP Runtime Development Mailing List To unsubscribe, vi=
sit:
>>> http://www.php.net/unsub.php
>>
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



--=20
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org