Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56759 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53588 invoked from network); 4 Dec 2011 14:05:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Dec 2011 14:05:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qy0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:56221] helo=mail-qy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/37-13454-01E7BDE4 for ; Sun, 04 Dec 2011 09:05:06 -0500 Received: by qcsc1 with SMTP id c1so1050135qcs.29 for ; Sun, 04 Dec 2011 06:05:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IsJtG0/sDZezpcuPPyA506Z9zi1P+dWNPY2EXjnrUwo=; b=N4pUVWaoYEc9iZEzvP2GeVD08A8AAKinBQFS+Rx+jjy/gPg8JVXtNKpxJmwfhYEseT qM9ZYuefZJw0wc+kd/PUVVKwyn0UJsJ0wjda2oPd7szIQ/WsFpp6W8hQlH1JhaDRkDXR Ku5HNqFNCQQgaVI4+FqPsmiI8ZjUFnarChIs0= MIME-Version: 1.0 Received: by 10.229.65.90 with SMTP id h26mr1234466qci.57.1323007502236; Sun, 04 Dec 2011 06:05:02 -0800 (PST) Received: by 10.229.212.5 with HTTP; Sun, 4 Dec 2011 06:05:02 -0800 (PST) In-Reply-To: <4EDA4989.2010702@akbkhome.com> References: <4EDA4989.2010702@akbkhome.com> Date: Sun, 4 Dec 2011 15:05:02 +0100 Message-ID: To: Alan Knowles Cc: PHP Internals List Content-Type: multipart/alternative; boundary=0016e64082dc34bb7f04b344b066 Subject: Re: [PHP-DEV] Fixing string offsets of strings. From: tyra3l@gmail.com (Ferenc Kovacs) --0016e64082dc34bb7f04b344b066 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, Dec 3, 2011 at 5:08 PM, Alan Knowles wrote: > I've had a look at making string offsets of strings a bit saner. > > At present with the fix for array dereferencing : ?search=3Dhello and a > test like isset($_GET['search']['name']) results in true, which is has > potential security problems and is very confusing for any programmer > finding and working out why something like that may be failing. > > To solve this quite a few people agreed that not allowing non-numeric > string offsets on strings would be the smart way to go, the change is goi= ng > to break BC, so the idea is to at least not break it too badly... > > This patch is a start. > https://bugs.php.net/patch-**display.php?bug_id=3D60362&** > patch=3Dfirst_effort_to_fix_**this&revision=3Dlatest > > It's been quite a while since I hacked on the engine, so the patch only > works reasonably well.. (see the FIXME on the tests at the bottom of the > patch.) > > The patch changes the following: > * $s =3D "string"; $s['offset'] -- produces a warning (and returns an > empty string) > * $s =3D "string"; $s['1'] -- works as before.. > * $s =3D "string"; $s[true] $s[false] $s[0.1] -- give a notice (cast it= to > an int if you want to get rid of the notice) - however work as before. > * changes the warning on invalid indexes to say "Uninitialized or > invalid" rather than just "Uninitialized" > * fixes most of the related tests > I think that those changes are pretty much in line with the discussion that we had. Thanks for fixing this! --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --0016e64082dc34bb7f04b344b066--