Debian Bug report logs - #518971
libapache2-mod-php5: wddx_unserialize / wddx_deserialize strips HTML entities

version graph

Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is (unknown);

Reported by: mnc@sp03.firmseek.com

Date: Mon, 9 Mar 2009 17:51:02 UTC

Severity: normal

Found in version php5/5.2.6.dfsg.1-1+lenny2

Fixed in version 5.2.6.dfsg.1-1+lenny4

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#518971; Package libapache2-mod-php5. (Mon, 09 Mar 2009 17:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to mnc@sp03.firmseek.com:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 09 Mar 2009 17:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: mnc@sp03.firmseek.com
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache2-mod-php5: wddx_unserialize / wddx_deserialize strips HTML entities
Date: Mon, 09 Mar 2009 13:47:17 -0400
Package: libapache2-mod-php5
Version: 5.2.6.dfsg.1-1+lenny2
Severity: normal

This problem seems to be unique to the build of PHP that came with this
update. It doesn't occur on my own 5.2.6 builds or on the 5.2.0-8+etch13 I
have running elsewhere.

Simple test case:

<?php
  $str = '<p>Hello, "Sammy."</p>';
  $packet = wddx_packet_start();
  wddx_add_vars($packet, 'str');
  $serialized = wddx_packet_end($packet);
  $unserialized = wddx_deserialize($serialized);
  var_dump($unserialized);
?>

If the output has the angle brackets and quotes stripped out, then you
are experiencing the bug. wddx_packet_end() is substituting HTML entities in
place of those characters - which is correct, or at least is what's happened
all along - but then wddx_deserialize is failing to de-entify them, and
instead is discarding them outright.

-- System Information:
Debian Release: squeeze/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'oldstable'), (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-php5 depends on:
ii  apache2-mpm-prefor 2.2.11-2              Apache HTTP Server - traditional n
ii  apache2.2-common   2.2.11-2              Apache HTTP Server common files
ii  libbz2-1.0         1.0.5-1               high-quality block-sorting file co
ii  libc6              2.9-4                 GNU C Library: Shared libraries
ii  libcomerr2         1.41.3-1              common error description library
ii  libdb4.6           4.6.21-13             Berkeley v4.6 Database Libraries [
ii  libkrb53           1.6.dfsg.4~beta1-9    Transitional library package/krb4 
ii  libmagic1          4.26-2                File type determination library us
ii  libpcre3           7.8-2                 Perl 5 Compatible Regular Expressi
ii  libssl0.9.8        0.9.8g-15             SSL shared libraries
ii  libxml2            2.7.3.dfsg-1          GNOME XML library
ii  mime-support       3.44-1                MIME files 'mime.types' & 'mailcap
ii  php5-common        5.2.6.dfsg.1-1+lenny2 Common files for packages built fr
ii  tzdata             2009b-1               time zone and daylight-saving time
ii  ucf                3.0016                Update Configuration File: preserv
ii  zlib1g             1:1.2.3.3.dfsg-13     compression library - runtime

libapache2-mod-php5 recommends no packages.

Versions of packages libapache2-mod-php5 suggests:
ii  php-pear           5.2.6.dfsg.1-1+lenny2 PEAR - PHP Extension and Applicati

-- no debconf information

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Fri, 08 Jan 2010 16:45:15 GMT) (full text, mbox, link).

Notification sent to mnc@sp03.firmseek.com:
Bug acknowledged by developer. (Fri, 08 Jan 2010 16:45:15 GMT) (full text, mbox, link).

Message #10 received at 518971-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 518971-done@bugs.debian.org
Subject: #518971: libapache2-mod-php5: wddx_unserialize / wddx_deserialize strips HTML entities
Date: Fri, 8 Jan 2010 17:43:24 +0100
Version: 5.2.6.dfsg.1-1+lenny4

root@howl:/tmp# php5 test.php
array(1) {
  ["str"]=>
  string(22) "<p>Hello, "Sammy."</p>"
}

-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 06 Feb 2010 07:33:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:05:45 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.