Re: [PHP-DEV] New INIs, Round Two.
hi, On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: 14. A few other directives have been question but I don't have enough experience with these particular settings so please weight in on them. extension_dir = ./ enable_dl = On i'd be incredibly weary of this setting, even in a development environment. - if you have enable_dl on, a user can load an arbitrary .so into php's (and thus most often apache's) memory space. - if you have extension_dir = ./, then even open_basedir and similar built-in restrictions about the path of dl()'d .so extensions are no longer in effect, and the floodgates are opened for various types of external attacks. the biggest reason that this is problematic is that in the case of apache, you have raw access to all of apache's memory, including ssl keys, stored passwords, etc, which typically a php script will not have. sean signature.asc Description: Digital signature
Re: [PHP-DEV] int/long conflict in spl?
Hello Greg,
Wednesday, February 11, 2009, 6:07:27 AM, you wrote:
Hi,
While tracking down a problem in one of phar's tests, I found what might
be a problem in RecursiveDirectoryIterator's handling of flags. Here is
a crude patch demonstrating the issue, and wondering if this is
something to be concerned about. Basically, we're mixing long and int,
which could lead to truncation in unpredictable ways.
Greg
Index: spl_directory.c
===
RCS file: /repository/php-src/ext/spl/spl_directory.c,v
retrieving revision 1.45.2.27.2.23.2.40
diff -u -r1.45.2.27.2.23.2.40 spl_directory.c
--- spl_directory.c31 Dec 2008 11:15:43 -1.45.2.27.2.23.2.40
+++ spl_directory.c15 Feb 2009 21:45:00 -
@@ -215,7 +215,7 @@
/* open a directory resource */
static void spl_filesystem_dir_open(spl_filesystem_object* intern, char
*path TSRMLS_DC)
{
-int skip_dots = intern-flags SPL_FILE_DIR_SKIPDOTS;
+int skip_dots = (intern-flags SPL_FILE_DIR_SKIPDOTS) ? 1 : 0;
While I wouldn't mind this part, I don't see a reason for it (and it
generates slower code, though any file access of course is a million times
slower anyway). Either way, we only do non zero checks, so that it doesn't
matter whether the result is one of 0 and 1 or 0 and something non zero.
If there is a compiler warning, then that can only come from flags being
long and we would need to switch from 'int skip_dots' to 'long skip_dots'.
intern-type = SPL_FS_DIR;
intern-_path_len = strlen(path);
@@ -314,7 +314,7 @@
case SPL_FS_DIR:
spl_filesystem_dir_open(intern, source-_path TSRMLS_CC);
/* read until we hit the position in which we were before */
-skip_dots = source-flags SPL_FILE_DIR_SKIPDOTS;
+skip_dots = (source-flags SPL_FILE_DIR_SKIPDOTS) ? 1 : 0;
for(index = 0; index source-u.dir.index; ++index) {
do {
spl_filesystem_dir_read(intern TSRMLS_CC);
@@ -600,7 +600,7 @@
#define DIT_CTOR_FLAGS 0x0001
#define DIT_CTOR_GLOB 0x0002
-void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, int
ctor_flags) /* {{{ */
+void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, long
ctor_flags) /* {{{ */
Sounds fine.
{
spl_filesystem_object *intern;
char *path;
@@ -698,7 +698,7 @@
SPL_METHOD(DirectoryIterator, next)
{
spl_filesystem_object *intern =
(spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-int skip_dots = intern-flags SPL_FILE_DIR_SKIPDOTS;
+int skip_dots = (intern-flags SPL_FILE_DIR_SKIPDOTS) ? 1 : 0;
intern-u.dir.index++;
do {
Best regards,
Marcus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
On Tue, Feb 17, 2009 at 10:12, sean finney sean...@seanius.net wrote: hi, On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: 14. A few other directives have been question but I don't have enough experience with these particular settings so please weight in on them. extension_dir = ./ enable_dl = On i'd be incredibly weary of this setting, even in a development environment. - if you have enable_dl on, a user can load an arbitrary .so into php's (and thus most often apache's) memory space. dl() should indeed be disabled by default (and the NEWS entry says it is). dl() support has furthermore been removed from most SAPIs, and according to the NEWS entry it is only available for cli, cgi and embed. Actually, the docs and NEWS are a bit inconsistent on that, the docs say the function just raises E_DEPRECATED while the NEWS entry makes it sound like dl() simply wont work as apache module.. -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
On Tue, 2009-02-17 at 10:12 +0100, sean finney wrote: hi, On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: 14. A few other directives have been question but I don't have enough experience with these particular settings so please weight in on them. extension_dir = ./ [...] - if you have extension_dir = ./, then even open_basedir and similar built-in restrictions about the path of dl()'d .so extensions are no longer in effect, and the floodgates are opened for various types of external attacks. extension_dir should be the compiled-in by default, at least on *nix. On windows maybe the installer can set it. So the value should be commented out. On *nix the reason is that the compiled in default (for example $prefix/lib/php/extensions/no-debug-non-zts-20090115) is used when compiling extensions using the phpize-way or pear installer so only with that value it will work out of the box. johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
14. A few other directives have been question but I don't have enough experience with these particular settings so please weight in on them. extension_dir = ./ enable_dl = On I think enable_dl should be off by default in both production and test environments. Aside from being a somewhat a security risk, I think our overall policy has been to discourage the use of dl() to dynamically load extensions into PHP. Ilia Alshanetsky -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Re: [PHP-CVS] cvs: php-src /ext/standard array.c
Moriyoshi Koizumi wrote: Ilia Alshanetsky wrote: I've discussed this issue with Andrei at least a month ago (if not longer) when the patch was originally added, and I believe that the introduced behavior is the correct one. IMO correct or not depends on the context where the function is used. At least, as array_unique() was not capable of dealing with objects before the Andrei's patch, every existing code should use it with strings, not objects. If SORT_REGULAR could handle objects as well as strings in the same manner as SORT_STRING I wouldn't see any problem, although it cannot. SORT_STRING can only reliably deal with strings - its behavior on non-string type is basically broken. Unless we agree that PHP is Tcl (strings are the only type), then SORT_REGULAR makes much more sense to me, and evidently others. If you really have a huge problem with BC, perhaps we could leave the default behavior as SORT_STRING for 5.2.x, but it definitely needs to be SORT_REGULAR for 5.3/6. -Andrei -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
Eric,
Should uncommented parameters that seem to have the default value be
commented out? For example asp_tags and precision. If the
parameters don't always have the same default value everywhere, should
they be documented in Quick Reference section as having a different
value to the default?
Eric Stewart wrote:
4. I mistakenly had the development and production values of
allow_call_time_pass_reference reversed. This error has been
corrected.
I really think this should be Off in both cases to discourage use.
The doc http://www.php.net/ini.core says This method is deprecated
and is likely to be unsupported in future versions of PHP/Zend.
10. The production value of error_reporting has been changed to E_ALL |
~E_DEPRECATED.
This should use '', as Dave already pointed out on the list.
12. The oci8.events and oci8.old_oci_close_semantics example values now use
the boolean constants.
Thanks.
13. Many people have asked why the links to the online documentation for
each directive are specifically to the English version.
Regardless of the language issue, can the URLs consistently use www
instead of us2? At the moment both occur.
Can the generic case in this come first:?
; 6. Windows directory (C:\windows or C:\winnt), or --with-config-file-path
; compile time option.
i.e change it to
; 6. The directory from the --with-config-file-path compile time
; option, or the Windows directory (C:\windows or C:\winnt)
The general documentation could mention the use of variables as seen
in ext/standard/tests/general_functions/parse_ini_basic.{phpt,data}:
basicval = bar
var1 = ${basicval}
The general documentation could mention that absolute paths to
extensions are (now) supported:
extension=/path/to/extension.so
This should use its not it's:
; PHP attempts to find and load this configuration from a number of locations.
; The following is a summary of it's search order:
The first it's below should be its:
; php.ini-development is very similar to it's production variant, except it's
; much more verbose when it comes to errors.
This should be its in:
; php.ini-production contains settings which hold security, performance and
; best practices at it's core.
Ditto in:
; Turning on this setting and managing it's maximum buffer size can yield some
Ditto in:
; Integer = Enables the buffer and sets it's maximum size in bytes.
Ditto in:
; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A
setting
There's an (existing) typo in this description, I guess ignore
libjpeg warnings was the intention:
; Tell the jpeg decode to libjpeg warnings and try to create
; a gd image.
Chris
--
Email: christopher.jo...@oracle.com Tel: +1 650 506 8630
Twitter: http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/UGPOM
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Don't compress empty output with zlib
Hello all, I've cooked up a short patch for Bug 42362, and would
appreciate comments. The patch turns off zlib compression if there is no
output, to make zlib_compression play more nicely with 304s.
Cheers,
Edward
Index: ext/zlib/zlib.c
===
RCS file: /repository/php-src/ext/zlib/zlib.c,v
retrieving revision 1.183.2.6.2.8
diff -u -r1.183.2.6.2.8 zlib.c
--- ext/zlib/zlib.c 31 Dec 2008 11:17:47 - 1.183.2.6.2.8
+++ ext/zlib/zlib.c 17 Feb 2009 20:43:28 -
@@ -979,7 +979,7 @@
{
zend_bool do_start, do_end;
- if (!ZLIBG(output_compression)) {
+ if (!ZLIBG(output_compression) || !output_len) {
*handled_output = NULL;
} else {
do_start = (mode PHP_OUTPUT_HANDLER_START ? 1 : 0);
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] ZEND_USER_OPCODE_CONTINUE
Hi,
while implementing a small toy extension (see [1]) I found out that
ZEND_USER_OPCODE_CONTINUE seems to misbehave as it doesn't go to the
next opcode so I ended up in an endless loop executing the same opcode
again and again.
I'm not sure whether we should change the behavior, using a trivial
patch like the attached one or whether we should add a
ZEND_USER_OPCODE_NEXT_OPCODE constant. The first approach looks nicer to
me but might break extensions working around that problem in a hard to
track way (skipping an opcode)
Ideas, comments?
johannes
[1] http://news.php.net/php.pecl.dev/6117
Index: Zend/zend_vm_def.h
===
RCS file: /repository/ZendEngine2/zend_vm_def.h,v
retrieving revision 1.59.2.29.2.48.2.84
diff -u -p -r1.59.2.29.2.48.2.84 zend_vm_def.h
--- Zend/zend_vm_def.h 26 Jan 2009 22:54:20 - 1.59.2.29.2.48.2.84
+++ Zend/zend_vm_def.h 17 Feb 2009 20:55:32 -
@@ -4338,7 +4338,7 @@ ZEND_VM_HANDLER(150, ZEND_USER_OPCODE, A
switch (ret) {
case ZEND_USER_OPCODE_CONTINUE:
- ZEND_VM_CONTINUE();
+ ZEND_VM_NEXT_OPCODE();
case ZEND_USER_OPCODE_RETURN:
ZEND_VM_DISPATCH_TO_HELPER(zend_leave_helper);
case ZEND_USER_OPCODE_DISPATCH:
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] ZEND_USER_OPCODE_CONTINUE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Johannes, while implementing a small toy extension (see [1]) I found out that ZEND_USER_OPCODE_CONTINUE seems to misbehave as it doesn't go to the next opcode so I ended up in an endless loop executing the same opcode again and again. I guess that is exactly the required behaviour. How else do you want to implement an user opcode that transfers control to another opline, like a special kind of jump opcode. Stefan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmbJqwACgkQSuF5XhWr2njnzACgizi7a24c6GxNKTwMPU3SjvFF KLQAnRz4w6i36ogEmT0LBofAjI5EiULP =KDZK -END PGP SIGNATURE- -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] ZEND_USER_OPCODE_CONTINUE
Hi Johannes, while implementing a small toy extension (see [1]) I found out that ZEND_USER_OPCODE_CONTINUE seems to misbehave as it doesn't go to the next opcode so I ended up in an endless loop executing the same opcode again and again. Isn't that expected behaviour? If a normal opcode handler does not increase the opline, simply returning will also cause re-execution of the same handler again and again. Why should it be different for user opcode handlers? Regards, Christian -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] ZEND_USER_OPCODE_CONTINUE
Stefan, On Tue, 2009-02-17 at 22:05 +0100, Stefan Esser wrote: while implementing a small toy extension (see [1]) I found out that ZEND_USER_OPCODE_CONTINUE seems to misbehave as it doesn't go to the next opcode so I ended up in an endless loop executing the same opcode again and again. I guess that is exactly the required behaviour. How else do you want to implement an user opcode that transfers control to another opline, like a special kind of jump opcode. ZEND_USER_OPCODE_DISPATCH_TO sounds like the way to do that. But we have no clean API to set the next opcode and CONTINUE is documented as #define ZEND_USER_OPCODE_CONTINUE 0 /* execute next opcode */ talking about the next one - so /some/ cleanup is needed. johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Don't compress empty output with zlib
Edward Z. Yang wrote:
Hello all, I've cooked up a short paonetch for Bug 42362, and would
appreciate comments. The patch turns off zlib compression if there is no
output, to make zlib_compression play more nicely with 304s.
The previous patch is wrong (it doesn't handle the flush();flush(); case
well). Here's a better one, although it's 304 specific:
Index: ext/zlib/zlib.c
===
RCS file: /repository/php-src/ext/zlib/zlib.c,v
retrieving revision 1.183.2.6.2.8
diff -u -r1.183.2.6.2.8 zlib.c
--- ext/zlib/zlib.c 31 Dec 2008 11:17:47 - 1.183.2.6.2.8
+++ ext/zlib/zlib.c 17 Feb 2009 22:13:40 -
@@ -979,7 +979,7 @@
{
zend_bool do_start, do_end;
- if (!ZLIBG(output_compression)) {
+ if (!ZLIBG(output_compression) || SG(sapi_headers).http_response_code
== 304) {
*handled_output = NULL;
} else {
do_start = (mode PHP_OUTPUT_HANDLER_START ? 1 : 0);
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Re: [PHP-CVS] cvs: php-src /ext/standard array.c
In addition, we should look at similar comparison-involved array functions such as array_intersect, array_diff and so on, otherwise it's gonna be a mess. Moriyoshi On Wed, Feb 18, 2009 at 11:43 AM, Moriyoshi Koizumi m...@mozo.jp wrote: On Wed, Feb 18, 2009 at 3:11 AM, Andrei Zmievski and...@gravitonic.com wrote: SORT_STRING can only reliably deal with strings - its behavior on non-string type is basically broken. Unless we agree that PHP is Tcl (strings are the only type), then SORT_REGULAR makes much more sense to me, and evidently others. If you really have a huge problem with BC, perhaps we could leave the default behavior as SORT_STRING for 5.2.x, but it definitely needs to be SORT_REGULAR for 5.3/6. As I said earlier, the function is never supposed to be used with objects. Therefore, we cannot declare it to be broken, and any change to the behavior anyway leads to a huge BC break. I got a report that claims the reporter's real-world application behaves strangely with the latest release candidate. That said, I'm not really against making SORT_REGULAR default for later versions than 5.2.x as long as *appropriate notices* are provided, while I strongly disagree for 5.2.x. Moriyoshi -Andrei -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] zend_call_method() - support for up to 4 parameters
hi,
recently, working on an extension, i wanted to call a method w/ 3 params,
and as you know, zend_call_method only supports 2 parameters at most. i
came across this thread in the archives,
http://marc.info/?l=php-internalsm=120179690310419w=2
so i tossed together a quick patch w/ no emalloc or va_list against the
latest 5.3 snapshot.
what do you think?
-nathan
--- zend_interfaces.c2009-02-17 20:50:35.0 -0700
+++ zend_interfaces.ORIG.c2009-02-17 20:24:47.0 -0700
@@ -31,7 +31,7 @@
/* {{{ zend_call_method
Only returns the returned zval if retval_ptr != NULL */
-ZEND_API zval* zend_call_method(zval **object_pp, zend_class_entry *obj_ce,
zend_function **fn_proxy, char *function_name, int function_name_len, zval
**retval_ptr_ptr, int param_count, zval* arg1, zval* arg2, zval* arg3, zval*
arg4 TSRMLS_DC)
+ZEND_API zval* zend_call_method(zval **object_pp, zend_class_entry *obj_ce,
zend_function **fn_proxy, char *function_name, int function_name_len, zval
**retval_ptr_ptr, int param_count, zval* arg1, zval* arg2 TSRMLS_DC)
{
int result;
zend_fcall_info fci;
@@ -39,12 +39,10 @@
zval *retval;
HashTable *function_table;
-zval **params[4];
+zval **params[2];
params[0] = arg1;
params[1] = arg2;
-params[2] = arg3;
-params[3] = arg4;
fci.size = sizeof(fci);
/*fci.function_table = NULL; will be read form zend_class_entry of
object if needed */
--- zend_interfaces.h2009-02-17 20:51:22.0 -0700
+++ zend_interfaces.ORIG.h2009-02-17 20:24:36.0 -0700
@@ -38,22 +38,16 @@
zval *value;
} zend_user_iterator;
-ZEND_API zval* zend_call_method(zval **object_pp, zend_class_entry *obj_ce,
zend_function **fn_proxy, char *function_name, int function_name_len, zval
**retval_ptr_ptr, int param_count, zval* arg1, zval* arg2, zval* arg3, zval*
arg4 TSRMLS_DC);
+ZEND_API zval* zend_call_method(zval **object_pp, zend_class_entry *obj_ce,
zend_function **fn_proxy, char *function_name, int function_name_len, zval
**retval_ptr_ptr, int param_count, zval* arg1, zval* arg2 TSRMLS_DC);
#define zend_call_method_with_0_params(obj, obj_ce, fn_proxy,
function_name, retval) \
-zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 0, NULL, NULL, NULL, NULL TSRMLS_CC)
+zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 0, NULL, NULL TSRMLS_CC)
#define zend_call_method_with_1_params(obj, obj_ce, fn_proxy,
function_name, retval, arg1) \
-zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 1, arg1, NULL, NULL, NULL TSRMLS_CC)
+zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 1, arg1, NULL TSRMLS_CC)
#define zend_call_method_with_2_params(obj, obj_ce, fn_proxy,
function_name, retval, arg1, arg2) \
-zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 2, arg1, arg2, NULL, NULL TSRMLS_CC)
-
-#define zend_call_method_with_3_params(obj, obj_ce, fn_proxy,
function_name, retval, arg1, arg2, arg3) \
-zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 3, arg1, arg2, arg3, NULL TSRMLS_CC)
-
-#define zend_call_method_with_4_params(obj, obj_ce, fn_proxy,
function_name, retval, arg1, arg2, arg3, arg4) \
-zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 4, arg1, arg2, arg3, arg4 TSRMLS_CC)
+zend_call_method(obj, obj_ce, fn_proxy, function_name,
sizeof(function_name)-1, retval, 2, arg1, arg2 TSRMLS_CC)
ZEND_API void zend_user_it_rewind(zend_object_iterator *_iter TSRMLS_DC);
ZEND_API int zend_user_it_valid(zend_object_iterator *_iter TSRMLS_DC);
