On 11/16/10 1:44 AM, Derick Rethans wrote: > On Mon, 15 Nov 2010, Rasmus Lerdorf wrote: > >> Ok, I went through all the 5.3 code. This should fix the null poisoning >> problems in 5.3 without breaking binary compatibility: >> >> http://progphp.com/nullpatch.txt >> >> There are quite a few places where we can't solve it centrally, so >> perhaps we need to take the same approach in trunk. > > I've had a look at that patch, and it looks a little bit like a kludge. > I'm saying that because it's quite easy to miss a specific case where a > line like: > > + if (strlen(filename) != filename_len) { > + RETURN_FALSE; > + } > > should/could be added. I prefer a fix that solves this properly, and > that requires breaking BC as I understood it. Perhaps we could just take > care of this in trunk only? Or at last, add a macro for doing the check > from above?
Yes, I agree it is a bit of a kludge, but no matter how we do it, it will be easy to miss a case as there simply isn't a central place to do this check that will catch all cases. We can make the check prettier by adding this non-null params type, or a pretty macro, but that doesn't alleviate the need to go through and find all the places where we need to do the check. One thing that makes it a bit easier is that in many instances, but not all, the check is near an open_basedir check. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
