Implement script only include #1111
Conversation
| @@ -130,6 +130,8 @@ struct _zend_compiler_globals { | |||
|
|
|||
| HashTable interned_strings; | |||
|
|
|||
| char *script_extensions[32]; | |||
There was a problem hiding this comment.
this (32) should be a constant
There was a problem hiding this comment.
I agree. Do you have suggested name? If so, I just use yours.
|
Don't see the move_uploaded_file() part. |
…r max filename extensions
| @@ -5682,13 +5683,40 @@ PHP_FUNCTION(is_uploaded_file) | |||
| } | |||
| /* }}} */ | |||
|
|
|||
|
|
|||
| static int php_check_filename_extensions(zend_string *filename) { /* {{{ */ | |||
There was a problem hiding this comment.
This may be implemented as ZEND_API in Zend.
|
I found what's wrong in ZTS build. It seems I have to relocate script_extensions array to somewhere accessible. CG is not accessible under ZTS build according to gdb. Where would be the best place to locate script_extensions char array? |
| if (new_value && new_value->len) { | ||
| tmp = str = estrndup(new_value->val, new_value->len); | ||
| for(str = new_value->val, i = 0; ; str = NULL) { | ||
| token = strtok_r(str, " ", &save_ptr); |
There was a problem hiding this comment.
ah, also seems save_ptr isn't initialized here.
|
I was bored and read through the RFC and I feel like this feature addresses a problem that doesn't exist if the PHP "developer" did their job right. This RFC is merely adding another already implemented feature. Maybe I'm mistaken or missing something, there doesn't seem to be any added value to PHP by implementing this. |
| break; | ||
| } | ||
| p = Z_STRVAL_P(filename) + Z_STRLEN_P(filename) - len; | ||
| if (!memcmp(p, CG(script_extensions)[i], len)) { |
There was a problem hiding this comment.
you're using case sensitive match here. Are you sure it won't break on case-insensitive filesystems?
|
Umm.. not sure if this is the right place but won't it be better to change the behavior to the way other programming languages do it as pointed out in the RFC? As in Just my 2 cents.. :) |
|
RFC vote seems to be declined, can we close this? |
|
@yohgaki 'Just note that it is programmer's problem, if he doesn't write security invulnerable code, not a problem of the language. So 👎 |
https://wiki.php.net/rfc/script_only_include
I used memcmp() to compare file extension. It's better to use strcasecmp for windows, probably. Use #if ?
I also used E_COMPILE_ERROR for now. If it's OK to use E_ERROR/E_RECVERABLE_ERROR in zend_language_scanner.[cl], I'll change.
I'll treat failing tests later.