Skip to content

Fix: sapi_getenv: value should be initialized and not used so #8786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 20, 2022
Merged

Fix: sapi_getenv: value should be initialized and not used so #8786

merged 3 commits into from
Jun 20, 2022

Conversation

hwde
Copy link
Contributor

@hwde hwde commented Jun 15, 2022

No description provided.

@Girgias
Copy link
Member

Girgias commented Jun 15, 2022

It probably makes more sense to switch all the logic to use guards returning NULL instead of the weird nesting we currently have which would then make it clear that value is not uninitialized.

@Girgias
Copy link
Member

Girgias commented Jun 15, 2022

The changes made are the opposite of what I was asking, I'm asking for only early returns via if conditions which are easier to read than nesting if conditions

@hwde
Copy link
Contributor Author

hwde commented Jun 15, 2022

I don't think that this would be easier to read (btw.: isn't the call to strlen() in WIN32 superfluous ... possibly it has been inserted for performance reasons):

SAPI_API char *sapi_getenv(const char *name, size_t name_len)
{
	char *value = NULL, *tmp;
	
	if (!strncasecmp(name, "HTTP_PROXY", name_len)) {
		/* Ugly fix for HTTP_PROXY issue, see bug #72573 */
		return NULL;
	}
	if (!sapi_module.getenv) {
		return NULL;
	}
	tmp = sapi_module.getenv(name, name_len);
	if (!tmp) {
		return NULL;
	}
	value = estrdup(tmp);
#ifdef PHP_WIN32
	if (strlen(sapi_module.name) == sizeof("cgi-fcgi") - 1 && !strcmp(sapi_module.name, "cgi-fcgi")) {
		/* XXX more modules to go, if needed. */
		free(tmp);
	}
#endif
	if (value && sapi_module.input_filter) {
		sapi_module.input_filter(PARSE_STRING, name, &value, strlen(value), NULL);
	}
	return value;
}

@cmb69
Copy link
Member

cmb69 commented Jun 15, 2022

isn't the call to strlen() in WIN32 superfluous ... possibly it has been inserted for performance reasons

Yeah, that looks like a dubious performance optimization.

@Girgias
Copy link
Member

Girgias commented Jun 20, 2022

I don't think that this would be easier to read (btw.: isn't the call to strlen() in WIN32 superfluous ... possibly it has been inserted for performance reasons):

SAPI_API char *sapi_getenv(const char *name, size_t name_len)
{
	char *value = NULL, *tmp;
	
	if (!strncasecmp(name, "HTTP_PROXY", name_len)) {
		/* Ugly fix for HTTP_PROXY issue, see bug #72573 */
		return NULL;
	}
	if (!sapi_module.getenv) {
		return NULL;
	}
	tmp = sapi_module.getenv(name, name_len);
	if (!tmp) {
		return NULL;
	}
	value = estrdup(tmp);
#ifdef PHP_WIN32
	if (strlen(sapi_module.name) == sizeof("cgi-fcgi") - 1 && !strcmp(sapi_module.name, "cgi-fcgi")) {
		/* XXX more modules to go, if needed. */
		free(tmp);
	}
#endif
	if (value && sapi_module.input_filter) {
		sapi_module.input_filter(PARSE_STRING, name, &value, strlen(value), NULL);
	}
	return value;
}

You don't need to check that value is set, as if a function relying on emalloc cannot allocate memory the engine bails out and we do not check for those. You can add an assertion that value is not NULL.

IMHO nested ifs make understanding the control flow a PITA.
And rearanging the ifs makes it pretty obvious that the first if should be

if (!sapi_module.getenv) {
	return NULL;
}

Instead of the string comparison.

@hwde hwde force-pushed the sapi_getenv-value-initialize branch from 137e963 to 2a802b1 Compare June 20, 2022 12:27
@Girgias Girgias merged commit 84e4d2a into php:master Jun 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hwde @Girgias @cmb69