Hi all,
Is there zend_string usage guideline?
I'm wondering if zend_string is used where it is appropriate.
Once we release PHP7, adopting zend_string for PHPAPI functions become
difficult.
(We have to keep legacy API or it will be 3rd party module author's
headache if we
change this with minor version up.)
Evaluation for all PHPAPI functions that have "char *" parameter is
finished?
If not, we are better to do this now at least for core functions.
LXR output seems there are number of core functions that may use
zend_string.
http://lxr.php.net/search?q=PHPAPI&defs=&refs=&path=&hist=&project=PHP_TRUNK
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
HI all,
Is there zend_string usage guideline?
I'm wondering if zend_string is used where it is appropriate.Once we release PHP7, adopting zend_string for PHPAPI functions become
difficult.
(We have to keep legacy API or it will be 3rd party module author's
headache if we
change this with minor version up.)Evaluation for all PHPAPI functions that have "char *" parameter is
finished?
If not, we are better to do this now at least for core functions.
LXR output seems there are number of core functions that may use
zend_string.http://lxr.php.net/search?q=PHPAPI&defs=&refs=&path=&hist=&project=PHP_TRUNK
I looked into the list quickly to see functions may be better to use
zend_string.
I picked up functions may have problem with null byte in char *.
This is NOT exhaustive list, but partial list. I didn't check all function
definitions as well as
their usage.
http://lxr.php.net/xref/PHP_TRUNK/ext/standard/php_var.h#57
http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#33
http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#34
http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#35
http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#36
http://lxr.php.net/xref/PHP_TRUNK/main/php_main.h#51
http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#233
http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#236
http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#252
http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#308
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#29
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#30
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#31
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#33
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#34
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#35
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#47
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#51
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#53
http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#565
http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#566
http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#567
http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#568
http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#569
http://lxr.php.net/xref/PHP_TRUNK/main/php.h#283
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#29
http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#30
http://lxr.php.net/xref/PHP_TRUNK/ext/standard/basic_functions.h#148
http://lxr.php.net/xref/PHP_TRUNK/ext/standard/basic_functions.h#149
We have input parameter validation for null bytes with ZPP. However,
source of string may be database, file, network, etc. i.e. Strings may
be passed without ZPP null byte check. There is potential risk that
null byte injection attack may work. With zend_string, length/null byte
could be checked if it is necessary.
Function usage should be considered to decide if zend_string should be
used or not, but it seems many of these functions are better to use
zend_string.
Except null byte injection, there are functions become more convenient with
zend_string probably.
Any comments?
--
Yasuo Ohgaki
yohgaki@ohgaki.net