Re: [PHP-CVS] com php-src: Add optional depth parameter to json_encode #62369: ext/json/json.c ext/json/php_json.h ext/json/tests/bug62369.phpt

[Stas Malyshev]

Hi!

 Commit:45d596ea1e32792c7b7b7f28be220dea861b6708
 Author:Florian Anderiasch f...@php.net Tue, 24 Jul 2012 
 13:15:16 +0200
 Parents:   dd9d64b21e4bbc8a106a6156dc6ffefbcc33ec02
 Branches:  master
 
 Link:   
 http://git.php.net/?p=php-src.git;a=commitdiff;h=45d596ea1e32792c7b7b7f28be220dea861b6708
 
 Log:
 Add optional depth parameter to json_encode #62369
 
 Bugs:
 https://bugs.php.net/62369

Was it ever discussed? Is there any reason why there's no NEWS entry and
no UPGRADING entry?


-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-CVS] com php-src: Add optional depth parameter to json_encode #62369: ext/json/json.c ext/json/php_json.h ext/json/tests/bug62369.phpt

[Pierre Joye]

hi!

On Thu, Jul 26, 2012 at 9:16 AM, Stas Malyshev smalys...@sugarcrm.com wrote:
 Hi!

 Commit:45d596ea1e32792c7b7b7f28be220dea861b6708
 Author:Florian Anderiasch f...@php.net Tue, 24 Jul 2012 
 13:15:16 +0200
 Parents:   dd9d64b21e4bbc8a106a6156dc6ffefbcc33ec02
 Branches:  master

 Link:   
 http://git.php.net/?p=php-src.git;a=commitdiff;h=45d596ea1e32792c7b7b7f28be220dea861b6708

 Log:
 Add optional depth parameter to json_encode #62369

 Bugs:
 https://bugs.php.net/62369

 Was it ever discussed?

afair we did not want to add that, back then when we discussed the
security issue related to huge input data.


Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-CVS] com php-src: Add optional depth parameter to json_encode #62369: ext/json/json.c ext/json/php_json.h ext/json/tests/bug62369.phpt

[Florian Anderiasch]

On 26.07.2012 14:14, Pierre Joye wrote:

Was it ever discussed?


afair we did not want to add that, back then when we discussed the
security issue related to huge input data.


Hi,
I hadn't seen any discussion apart from Laruence's change to FR so I 
went ahead and implemented it.


The default behavior is unchanged, I'm not really seeing how this is 
security relevant when in the bug it's going up to segfault and now you 
can limit it and get a real error.


It has no NEWS entry because when I asked dsp if that's something for 
5.4 I didn't get a yes or no - so I didn't update as I didn't know where.


Greetings,
Florian

--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] com php-src: Add optional depth parameter to json_encode #62369: ext/json/json.c ext/json/php_json.h ext/json/tests/bug62369.phpt

[Florian Anderiasch]

Commit:45d596ea1e32792c7b7b7f28be220dea861b6708
Author:Florian Anderiasch f...@php.net Tue, 24 Jul 2012 13:15:16 
+0200
Parents:   dd9d64b21e4bbc8a106a6156dc6ffefbcc33ec02
Branches:  master

Link:   
http://git.php.net/?p=php-src.git;a=commitdiff;h=45d596ea1e32792c7b7b7f28be220dea861b6708

Log:
Add optional depth parameter to json_encode #62369

Bugs:
https://bugs.php.net/62369

Changed paths:
  M  ext/json/json.c
  M  ext/json/php_json.h
  A  ext/json/tests/bug62369.phpt


Diff:
diff --git a/ext/json/json.c b/ext/json/json.c
index 9669047..dab4230 100644
--- a/ext/json/json.c
+++ b/ext/json/json.c
@@ -47,6 +47,7 @@ ZEND_DECLARE_MODULE_GLOBALS(json)
 ZEND_BEGIN_ARG_INFO_EX(arginfo_json_encode, 0, 0, 1)
ZEND_ARG_INFO(0, value)
ZEND_ARG_INFO(0, options)
+   ZEND_ARG_INFO(0, depth)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_json_decode, 0, 0, 1)
@@ -126,6 +127,7 @@ static PHP_GINIT_FUNCTION(json)
 {
json_globals-encoder_depth = 0;
json_globals-error_code = 0;
+   json_globals-encode_max_depth = 0;
 }
 /* }}} */
 
@@ -341,6 +343,9 @@ static void json_encode_array(smart_str *buf, zval **val, 
int options TSRMLS_DC)
}
}
 
+   if (JSON_G(encoder_depth)  JSON_G(encode_max_depth)) {
+   JSON_G(error_code) = PHP_JSON_ERROR_DEPTH;
+   }
--JSON_G(encoder_depth);
json_pretty_print_char(buf, options, '\n' TSRMLS_CC);
json_pretty_print_indent(buf, options TSRMLS_CC);
@@ -702,13 +707,16 @@ static PHP_FUNCTION(json_encode)
zval *parameter;
smart_str buf = {0};
long options = 0;
+long depth = JSON_PARSER_DEFAULT_DEPTH;
 
-   if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, z|l, parameter, 
options) == FAILURE) {
+   if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, z|ll, 
parameter, options, depth) == FAILURE) {
return;
}
 
JSON_G(error_code) = PHP_JSON_ERROR_NONE;
 
+   JSON_G(encode_max_depth) = depth;
+
php_json_encode(buf, parameter, options TSRMLS_CC);
 
if (JSON_G(error_code) != PHP_JSON_ERROR_NONE  !(options  
PHP_JSON_PARTIAL_OUTPUT_ON_ERROR)) {
diff --git a/ext/json/php_json.h b/ext/json/php_json.h
index afeff3f..2b3cf58 100644
--- a/ext/json/php_json.h
+++ b/ext/json/php_json.h
@@ -40,6 +40,7 @@ extern zend_module_entry json_module_entry;
 ZEND_BEGIN_MODULE_GLOBALS(json)
int encoder_depth;
int error_code;
+   int encode_max_depth;
 ZEND_END_MODULE_GLOBALS(json)
 
 #ifdef ZTS
diff --git a/ext/json/tests/bug62369.phpt b/ext/json/tests/bug62369.phpt
new file mode 100644
index 000..a5efd80
--- /dev/null
+++ b/ext/json/tests/bug62369.phpt
@@ -0,0 +1,34 @@
+--TEST--
+FR #62369 (Segfault on json_encode(deeply_nested_array)
+--SKIPIF--
+?php if (!extension_loaded(json)) print skip; ?
+--FILE--
+?php
+
+$array = array();
+for ($i=0; $i550; $i++) {
+$array = array($array);
+}
+
+json_encode($array, 0, 551);
+switch (json_last_error()) {
+case JSON_ERROR_NONE:
+echo 'OK'.PHP_EOL;
+break;
+case JSON_ERROR_DEPTH:
+echo 'ERROR'.PHP_EOL;
+break;
+}
+
+json_encode($array, 0, 540);
+switch (json_last_error()) {
+case JSON_ERROR_NONE:
+echo 'OK'.PHP_EOL;
+break;
+case JSON_ERROR_DEPTH:
+echo 'ERROR'.PHP_EOL;
+break;
+}
+--EXPECTF--
+OK
+ERROR


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php