Skip to content

ini_parse_quantity() accepts invalid arguments as valid #11876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fisharebest opened this issue Aug 4, 2023 · 1 comment
Closed

ini_parse_quantity() accepts invalid arguments as valid #11876

fisharebest opened this issue Aug 4, 2023 · 1 comment
Labels
Bug Category: Engine Status: Verified

Comments

@fisharebest
Copy link
Contributor

Description

While writing a polyfill for ini_parse_quantity() I found some invalid inputs that are wrongly accepted as valid.

See https://3v4l.org/ON6U1#v8.2.9 for a live demo

The following code:

<?php

var_dump(ini_parse_quantity('0x0x12'));

var_dump(ini_parse_quantity('0b+10'));
var_dump(ini_parse_quantity('0o+10'));
var_dump(ini_parse_quantity('0x+10'));

var_dump(ini_parse_quantity('0b 10'));
var_dump(ini_parse_quantity('0o 10'));
var_dump(ini_parse_quantity('0x 10'));

Resulted in this output:

int(18)
int(2)
int(8)
int(16)
int(2)
int(8)
int(16)

But I expected this output instead:

E_WARNING that the data is invalid - similar to other invalid arguments.

PHP Version

8.2.9

Operating System

No response
@fisharebest fisharebest mentioned this issue Aug 4, 2023
Merged
@Girgias
Copy link
Member

Girgias commented Aug 8, 2023
edited
Loading

The "issue" is the call to ```ZEND_STRTOUL()``, this is part of the issue when introducing support for binary and octal prefixes in #9560

The whitespace and prefix is stripped away before passing it to the Cstrtoul() (or whatever platform-dependent function) which will also strip +, -, whitespace and a hex prefix (as this is the only one supported).

The warnings for:

var_dump(zend_test_zend_ini_parse_quantity('0b0b10'));
var_dump(zend_test_zend_ini_parse_quantity('0o0o10'));

are also a tad weird.

I don't really see a good way to fix this, but will try. @arnaud-lb what is your opinion on this? (well after you enjoyed your holiday)

Girgias added a commit to Girgias/php-src that referenced this issue Aug 8, 2023
@Girgias
Fix phpGH-11876: ini_parse_quantity() accepts invalid quantities
2d4a42f
@Girgias Girgias linked a pull request Aug 8, 2023 that will close this issue
Fix GH-11876: ini_parse_quantity() accepts invalid quantities #11910
Closed
Girgias added a commit that referenced this issue Aug 30, 2023
@Girgias
Merge branch 'PHP-8.2' into PHP-8.3
9b28e52 
* PHP-8.2:
  Fix GH-11876: ini_parse_quantity() accepts invalid quantities
Girgias added a commit that referenced this issue Aug 30, 2023
@Girgias
Merge branch 'PHP-8.3'
a3725f1 
* PHP-8.3:
  Fix GH-11876: ini_parse_quantity() accepts invalid quantities
@nicolas-grekas nicolas-grekas mentioned this issue Sep 19, 2023
Closed
@plstand plstand mentioned this issue Nov 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Category: Engine Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-11876: ini_parse_quantity() accepts invalid quantities Girgias/php-src
2 participants
@fisharebest @Girgias