Re: [PHP-DEV] LDAP functions implemented poorly

Wed, 28 Feb 2007 12:47:49 -0800 

Hello.
Thanks for sending the patch here.

On 02/28/2007 11:33 PM, Doug Goldstein wrote:

Referencing Bug #38819 & Bug #40671
http://bugs.php.net/bug.php?id=38819
http://bugs.php.net/bug.php?id=40671

Essentially I looked through the above mentioned bug, the bugs opened
with OpenLDAP developers, and then reviewed ext/ldap/ldap.c and it
appears the API calls made by PHP are not necessarily the safest ways to
write the PHP wrapper functions. Based on [EMAIL PROTECTED]'s comment
that the LDAP module is unmaintained I went ahead and made some
changes.



The functions char **ldap_get_values(ld, entry, attr) and struct berval
**ldap_get_values_len(ld, entry, attr) are essentially inter-changeable.
The big difference being that the berval struct provides you with a char
* and the size_t of the data. Rather then just a char * that you then
have to strlen() which will result in problems if the returned data is
not NULL terminated data. PHP's internal functions make the mistake of
assuming all data will be string data (NULL terminated char *) data,
which is the cause of the crash in bug #38819.


Wait, I thought the DEPRECATED thing fixed it (I can't test it myself as I 
don't use LDAP).
If not, then what was it all about?


The patch attached removes all of those assumptions and uses
ldap_get_values_len() and uses the length provided back by the structure
to feed add_index_stringl() instead of using add_index_string() which
will call it's own strlen() on the provided data.

This patch also removes ldap_get_values() as a PHP function and makes it
an alias of ldap_get_values_len() since there's no difference and the
same data can be returned, it's just a safer version.


Some comments regarding the patch:
First of all, why do you add a new function and comment the old one instead of changing/fixing the old function? We definitely don't need dead/commented out code in the sources =)
Then, it's a bit too late to change 5.1.6, when 5.2.2 is on it's way, so surely we would like to see the patches for 5.2.2 instead. 
You can get its sources from CVS using PHP_5_2 branch:
cvs -d :pserver:[EMAIL PROTECTED]/repository co -r PHP_5_2 php-src

--
Wbr, Antony Dovgal 

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to