Debian Bug report logs - #729476
php5-cli: Unexpected behaviour of empty() function

version graph

Package: php5-cli; Maintainer for php5-cli is (unknown);

Reported by: Tim Booth <tbooth@ceh.ac.uk>

Date: Wed, 13 Nov 2013 11:51:02 UTC

Severity: important

Found in version php5/5.4.4-14+deb7u5

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.php.net/bug.php?id=67572

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, tbooth@ceh.ac.uk, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#729476; Package php5-cli. (Wed, 13 Nov 2013 11:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Tim Booth <tbooth@ceh.ac.uk>:
New Bug report received and forwarded. Copy sent to tbooth@ceh.ac.uk, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 13 Nov 2013 11:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tim Booth <tbooth@ceh.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5-cli: Unexpected behaviour of empty() function
Date: Wed, 13 Nov 2013 11:47:03 +0000
Package: php5-cli
Version: 5.4.4-14+deb7u5
Severity: important

The documented behaviour of the empty() function is to be a shorthand
for "!isset($var) || var == false".  The below example shows a case
where this fails, and was triggering a subtle bug in my code after
upgrade of production server to Wheezy.  I think this may well affect
others and even be a security issue if "empty" variables are assumed to
be safe.

I noticed the issue running PHP under Apache but for simplicity the below
example can just be run on the command line.  I've not tested on any
later PHP version, sorry.

    tbooth@anaguma$ cat foo.php
    <?php
    $foo = 'bar';
    print "regular string ... ";
    var_dump(empty($foo)); #Should be false

    $xml = simplexml_load_string("<xml><something>somevalue</something></xml>");
    $xml2 = simplexml_load_string("<xml>\n<something>somevalue</something>\n</xml>");

    foreach($xml as $key => $value) {
	print "$key = $value ... ";
	var_dump(empty($value)); # Should be false
	var_dump($value == false); # Should be false
    }

    foreach($xml2 as $key => $value) {
	print "$key = $value ... ";
	var_dump(empty($value)); # Should be false, but isn't
	var_dump($value == false); # Should be false
    }
    ?>

    tbooth@anaguma$ php foo.php
    regular string ... bool(false)
    something = somevalue ... bool(false)
    bool(false)
    something = somevalue ... bool(true)
    bool(false)

-- System Information:
Debian Release: 7.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5-cli depends on:
ii  libbz2-1.0        1.0.6-4
ii  libc6             2.13-38
ii  libcomerr2        1.42.5-1.1
ii  libdb5.1          5.1.29-5
ii  libgssapi-krb5-2  1.10.1+dfsg-5+deb7u1
ii  libk5crypto3      1.10.1+dfsg-5+deb7u1
ii  libkrb5-3         1.10.1+dfsg-5+deb7u1
ii  libmagic1         5.11-2
ii  libonig2          5.9.1-1
ii  libpcre3          1:8.30-5
ii  libqdbm14         1.8.78-2
ii  libssl1.0.0       1.0.1e-2
ii  libxml2           2.8.0+dfsg1-7+nmu2
ii  mime-support      3.52-1
ii  php5-common       5.4.4-14+deb7u5
ii  tzdata            2013d-0wheezy1
ii  ucf               3.0025+nmu3
ii  zlib1g            1:1.2.7.dfsg-13

php5-cli recommends no packages.

Versions of packages php5-cli suggests:
pn  php-pear  <none>

-- no debconf information

Set Bug forwarded-to-address to 'https://bugs.php.net/bug.php?id=67572'. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Fri, 04 Jul 2014 13:15:07 GMT) (full text, mbox, link).

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Wed, 27 Jan 2016 11:27:05 GMT) (full text, mbox, link).

Notification sent to Tim Booth <tbooth@ceh.ac.uk>:
Bug acknowledged by developer. (Wed, 27 Jan 2016 11:27:05 GMT) (full text, mbox, link).

Message #12 received at 729476-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 729476-done@bugs.debian.org
Subject: Fixed in 5.6.0
Date: Wed, 27 Jan 2016 12:24:48 +0100
Version: php5/5.4.28+dfsg-0+deb8u1
Control: fixed -1 5.6.0+dfsg-1

This was fixed in 5.4.28 and 5.6.0.

-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 25 Feb 2016 07:34:55 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:47:09 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.