Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:56767
Return-Path: <laruence@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75395 invoked from network); 4 Dec 2011 16:55:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Dec 2011 16:55:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.42 as permitted sender)
X-PHP-List-Original-Sender: laruence@gmail.com
X-Host-Fingerprint: 209.85.212.42 mail-vw0-f42.google.com  
Received: from [209.85.212.42] ([209.85.212.42:61237] helo=mail-vw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 29/A1-65129-E06ABDE4 for <internals@lists.php.net>; Sun, 04 Dec 2011 11:55:42 -0500
Received: by vbbfd1 with SMTP id fd1so3535316vbb.29
        for <internals@lists.php.net>; Sun, 04 Dec 2011 08:55:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type
         :content-transfer-encoding;
        bh=Vl8cFZb0sDzy9DVbvuZh5SUCvAt+yVkA3Fyux8WMvas=;
        b=ENPJP+Hbuf8kog7/kRumV8+0wBM6lumcqW84+exVguCEqc+f0+fBdU0GvgbKmJiTc5
         9Ar00BADHghFJeAIGKJ5h0h4VlYlxl95OGB3HomNiw9/hlpzjtTkWYG8nsHPZhYSsX+Y
         laXhxKZJbQ4Kj443p3pC0aA8oPugd5QqL1Dhw=
Received: by 10.52.33.50 with SMTP id o18mr2987837vdi.42.1323017739192; Sun,
 04 Dec 2011 08:55:39 -0800 (PST)
MIME-Version: 1.0
Sender: laruence@gmail.com
Received: by 10.220.108.7 with HTTP; Sun, 4 Dec 2011 08:55:18 -0800 (PST)
In-Reply-To: <CACQesk4xNrm3VfreZX5NAQZ+DqDt5w6ecOKw70e=Yjn1EPeDag@mail.gmail.com>
References: <4EDA4989.2010702@akbkhome.com> <CAH-PCH76g4LwEwzaEvU3Hp7PeeyMUN4sc0uZExkedhHvYYnm9A@mail.gmail.com>
 <CABBJUpfNRaa580ZCtsYHCbDat1Sxbo7tNz2MiNQ68foPFTq61g@mail.gmail.com> <CACQesk4xNrm3VfreZX5NAQZ+DqDt5w6ecOKw70e=Yjn1EPeDag@mail.gmail.com>
Date: Mon, 5 Dec 2011 00:55:18 +0800
X-Google-Sender-Auth: a-EchEfV5De4aEVlq-Ea5uElMvY
Message-ID: <CABBJUpfY7tdGHR9X2B5896RXcpCbEzhM+=w3V3yZt=s4s__eCg@mail.gmail.com>
To: Etienne Kneuss <colder@php.net>
Cc: Ferenc Kovacs <tyra3l@gmail.com>, Alan Knowles <alan@akbkhome.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Fixing string offsets of strings.
From: laruence@php.net (Laruence)

On Mon, Dec 5, 2011 at 12:39 AM, Etienne Kneuss <colder@php.net> wrote:
> Hi,
>
> On Sun, Dec 4, 2011 at 15:25, Laruence <laruence@php.net> wrote:
>>
>> +1.
>>
>> thanks.
>>
>> On Sun, Dec 4, 2011 at 10:05 PM, Ferenc Kovacs <tyra3l@gmail.com> wrote:
>> > On Sat, Dec 3, 2011 at 5:08 PM, Alan Knowles <alan@akbkhome.com> wrote=
:
>> >
>> >> I've had a look at making string offsets of strings a bit saner.
>> >>
>> >> At present with the fix for array dereferencing : =C2=A0?search=3Dhel=
lo and a
>> >> test like isset($_GET['search']['name']) =C2=A0results in true, which=
 is has
>> >> potential security problems and is very confusing for any programmer
>> >> finding and working out why something like that may be failing.
>> >>
>> >> To solve this quite a few people agreed that not allowing non-numeric
>> >> string offsets on strings would be the smart way to go, the change is
>> >> going
>> >> to break BC, so the idea is to at least not break it too badly...
>> >>
>> >> This patch is a start.
>> >> https://bugs.php.net/patch-**display.php?bug_id=3D60362&**
>> >>
>> >> patch=3Dfirst_effort_to_fix_**this&revision=3Dlatest<https://bugs.php=
.net/patch-display.php?bug_id=3D60362&patch=3Dfirst_effort_to_fix_this&revi=
sion=3Dlatest>
>> >>
>> >> It's been quite a while since I hacked on the engine, so the patch on=
ly
>> >> works reasonably well.. (see the FIXME on the tests at the bottom of
>> >> the
>> >> patch.)
>> >>
>> >> The patch changes the following:
>> >> =C2=A0* $s =3D "string"; =C2=A0$s['offset'] -- produces a warning (an=
d returns an
>> >> empty string)
>> >> =C2=A0* $s =3D "string"; =C2=A0$s['1'] -- works as before..
>> >> =C2=A0* $s =3D "string"; =C2=A0$s[true] $s[false] $s[0.1] -- give a n=
otice (cast it
>> >> to
>> >> an int if you want to get rid of the notice) - however work as before=
.
>> >> =C2=A0* changes the warning on invalid indexes to say "Uninitialized =
or
>> >> invalid" rather than just "Uninitialized"
>> >> =C2=A0* fixes most of the related tests
>
>
> What about other edge cases like $string[' =C2=A0 2 =C2=A0 '], $string['2=
foo']?
>
> I like the idea of the patch, I just find it a bit inconsistent for
> $s['offset'] to return an empty string while other cases of implicit
> conversions work as before. It doesn't bring much to return an empty stri=
ng
> instead of the first char. I believe every case should work as before,
> throwing a notice is enough IMO.
I agree after a deep think,  a notice is enough.  thanks
>
> Also, you don't mention whether your patch modifies the behavior of isset=
(),
> is $str =3D "foo"; isset($str['bar']) =C2=A0true or false ?
>
> Best,
>
>>
>> >>
>> >
>> > I think that those changes are pretty much in line with the discussion
>> > that
>> > we had.
>> > Thanks for fixing this!
>> >
>> >
>> > --
>> > Ferenc Kov=C3=A1cs
>> > @Tyr43l - http://tyrael.hu
>>
>>
>>
>> --
>> Laruence =C2=A0Xinchen Hui
>> http://www.laruence.com/
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
>
> --
> Etienne Kneuss
> http://www.colder.ch



--=20
Laruence =C2=A0Xinchen Hui
http://www.laruence.com/