HI all, On Fri, Aug 7, 2015 at 4:25 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Is there zend_string usage guideline? > I'm wondering if zend_string is used where it is appropriate. > > Once we release PHP7, adopting zend_string for PHPAPI functions become > difficult. > (We have to keep legacy API or it will be 3rd party module author's > headache if we > change this with minor version up.) > > Evaluation for all PHPAPI functions that have "char *" parameter is > finished? > If not, we are better to do this now at least for core functions. > LXR output seems there are number of core functions that may use > zend_string. > > > http://lxr.php.net/search?q=PHPAPI&defs=&refs=&path=&hist=&project=PHP_TRUNK > I looked into the list quickly to see functions may be better to use zend_string. I picked up functions may have problem with null byte in char *. This is NOT exhaustive list, but partial list. I didn't check all function definitions as well as their usage. http://lxr.php.net/xref/PHP_TRUNK/ext/standard/php_var.h#57 http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#33 http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#34 http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#35 http://lxr.php.net/xref/PHP_TRUNK/main/php_ini.h#36 http://lxr.php.net/xref/PHP_TRUNK/main/php_main.h#51 http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#233 http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#236 http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#252 http://lxr.php.net/xref/PHP_TRUNK/main/php_network.h#308 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#29 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#30 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#31 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#33 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#34 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#35 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#47 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#51 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#53 http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#565 http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#566 http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#567 http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#568 http://lxr.php.net/xref/PHP_TRUNK/main/php_streams.h#569 http://lxr.php.net/xref/PHP_TRUNK/main/php.h#283 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#29 http://lxr.php.net/xref/PHP_TRUNK/main/fopen_wrappers.h#30 http://lxr.php.net/xref/PHP_TRUNK/ext/standard/basic_functions.h#148 http://lxr.php.net/xref/PHP_TRUNK/ext/standard/basic_functions.h#149 We have input parameter validation for null bytes with ZPP. However, source of string may be database, file, network, etc. i.e. Strings may be passed without ZPP null byte check. There is potential risk that null byte injection attack may work. With zend_string, length/null byte could be checked if it is necessary. Function usage should be considered to decide if zend_string should be used or not, but it seems many of these functions are better to use zend_string. Except null byte injection, there are functions become more convenient with zend_string probably. Any comments? -- Yasuo Ohgaki yohg...@ohgaki.net
