Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.0.3

Bug #17515 Unsafe use of strlen
Submitted: 2010-06-23 09:16 UTC Modified: 2010-06-24 10:26 UTC
From: pehape Assigned: alan_k
Status: Closed Package: Services_JSON (version 1.0.2)
PHP Version: 4.4.9 OS: Linux
Roadmaps: (Not assigned)    
Subscription  


 [2010-06-23 09:16 UTC] pehape (Oliver Baltz)
Description: ------------ The comment in line 296 states that you are iterating over every character in the string. This is confusing, because in fact, you are iterating over every *byte*, not every char. Practically, I haven't noticed a wrong behaviour of the code in V1.0.2., but I think that, in theory, you are relying on the strlen() function without knowing the current state of the mbstring.func_overload php.ini setting (e.g., in line 293). The strlen function may return different values for the same string, depending on mbstring.func_overload. It is possible that strlen acts like mb_strlen( $var, "UTF-8" ), i.e. returns the number of characters, not the number of bytes. To get the number of bytes from a string, better check if mb_strlen exists and then use mb_strlen( $var, '8bit' ).

Comments

 [2010-06-23 09:21 UTC] pehape (Oliver Baltz)
-Type: Feature/Change Request +Type: Bug
 [2010-06-23 09:53 UTC] pehape (Oliver Baltz)
The behaviour also depends on mbstring.internal_encoding. I've experienced missing chars in JSON output string, due to strlen() reporting wrong number of charcaters. This happens when the encoded string contains non-ASCII UTF-8 chars and these settings apply: mbstring.func_overload=7 mbstring.internal_encoding=UTF-8
 [2010-06-23 11:23 UTC] alan_k (Alan Knowles)
can you suggest a patch. Thanks Alan
 [2010-06-23 14:01 UTC] pehape (Oliver Baltz)
 [2010-06-23 14:03 UTC] pehape (Oliver Baltz)
You may try this patch. Please note that you may have to adjust the version numbers in the patch file, because I created this patch within the repository of a different project.
 [2010-06-24 10:26 UTC] alan_k (Alan Knowles)
-Status: Open +Status: Closed -Assigned To: +Assigned To: alan_k
This bug has been fixed in SVN. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.
 [2010-06-24 10:37 UTC] pehape (Oliver Baltz)
Hi, I've seen the bug is closed - just wanted to know if my patch was helpful. Thanks, Olli