As stated in the manual for str_pad() "If the value of pad_length is
negative or less than the length of the input string, no padding takes
place.".
By using a very low negative value it is possible to bypass the check.
Please see attachment.
Cheers, Mattias Bengtsson
Index: ext/standard/string.c
===================================================================
RCS file: /repository/php-src/ext/standard/string.c,v
retrieving revision 1.445.2.14.2.63
diff -u -a -r1.445.2.14.2.63 string.c
--- ext/standard/string.c 6 Jun 2007 21:53:54 -0000 1.445.2.14.2.63
+++ ext/standard/string.c 21 Jul 2007 19:47:03 -0000
@@ -4741,7 +4741,7 @@
/* If resulting string turns out to be shorter than input string,
we simply copy the input and return. */
- if (num_pad_chars < 0) {
+ if (Z_LVAL_PP(pad_length) < 0 || num_pad_chars < 0) {
RETURN_ZVAL(*input, 1, 0);
}
Index: ext/standard/tests/strings/str_pad.phpt
===================================================================
RCS file: /repository/php-src/ext/standard/tests/strings/str_pad.phpt,v
retrieving revision 1.1.2.4
diff -u -a -r1.1.2.4 str_pad.phpt
--- ext/standard/tests/strings/str_pad.phpt 7 May 2007 22:30:16 -0000
1.1.2.4
+++ ext/standard/tests/strings/str_pad.phpt 21 Jul 2007 19:47:03 -0000
@@ -30,6 +30,7 @@
);
/* different pad_lengths */
$pad_lengths = array(
+ -2147483648, // very low negative value
-1, // negative value
0, // pad_length < sizeof(input_string)
9, // pad_length <= sizeof(input_string)
@@ -101,6 +102,11 @@
string(9) "variation"
string(9) "variation"
string(9) "variation"
+string(9) "variation"
+string(9) "variation"
+string(9) "variation"
+string(9) "variation"
+string(9) "variation"
string(10) "variation "
string(10) "variation="
string(10) "=variation"
@@ -121,6 +127,11 @@
string(5) "�����"
string(5) "�����"
string(5) "�����"
+string(5) "�����"
+string(5) "�����"
+string(5) "�����"
+string(5) "�����"
+string(5) "�����"
string(9) "����� "
string(9) "�����===="
string(9) "====�����"
@@ -146,6 +157,11 @@
string(0) ""
string(0) ""
string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
string(9) " "
string(9) "========="
string(9) "========="
@@ -171,6 +187,11 @@
string(0) ""
string(0) ""
string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
string(9) " "
string(9) "========="
string(9) "========="
@@ -196,6 +217,11 @@
string(1) "1"
string(1) "1"
string(1) "1"
+string(1) "1"
+string(1) "1"
+string(1) "1"
+string(1) "1"
+string(1) "1"
string(9) "1 "
string(9) "1========"
string(9) "========1"
@@ -221,6 +247,11 @@
string(2) "15"
string(2) "15"
string(2) "15"
+string(2) "15"
+string(2) "15"
+string(2) "15"
+string(2) "15"
+string(2) "15"
string(9) "15 "
string(9) "15======="
string(9) "=======15"
@@ -246,6 +277,11 @@
string(5) "15.55"
string(5) "15.55"
string(5) "15.55"
+string(5) "15.55"
+string(5) "15.55"
+string(5) "15.55"
+string(5) "15.55"
+string(5) "15.55"
string(9) "15.55 "
string(9) "15.55===="
string(9) "====15.55"
@@ -271,6 +307,11 @@
string(4) "2990"
string(4) "2990"
string(4) "2990"
+string(4) "2990"
+string(4) "2990"
+string(4) "2990"
+string(4) "2990"
+string(4) "2990"
string(9) "2990 "
string(9) "2990====="
string(9) "=====2990"
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
