We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Upgrade 0.9.0 -> 1.1.0: escapeHtml() freaks out

Hi,

First off, thanks for all the good work!

I have a phalcon app that ran smoothly under 0.9.0 but crashes with "Premature end of script" since I upgraded to version 1.1.0.

I narrowed the issue down to this: In the controller (say, UserController / indexAction)

$this->view->setVar('e', new \Phalcon\Escaper);

And in the view views/user/index.phtml:

<?=$e->escapeHtml($someData)?>

It's when calling the escapeHtml() method that I get the error. I only changed the Phalcon version, nothing else...

I tried this as well in the controller but to no avail:

$e = new \Phalcon\Escaper;
$e->setEncoding('utf-8');
$this->view->setVar('e', $e);

Any ideas anyone?

Also, I couldn't find any document regarding compatibility breaks between versions, so if you can point me to one that'd be nice.

Thanks, Steven



14.7k

Hi again,

To reproduce, simply create a TestController.php file with the following content in a Phalcon 1.1.0 project:

<?php
class TestController extends ControllerBase
{
    public function indexAction()
    {
        $e = new \Phalcon\Escaper;
        exit('fraise tagada');
        exit($e->escapeHtml('fraise tagada'));
    }
}

On first run, you should see "fraise tagada". Then comment out the line "exit('fraise tagada')" and run again. You'll get an Internal Server error without any useful information in the error log except the following:

[Thu May 16 15:20:07 2013] [warn] [client 46.218.126.212] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Thu May 16 15:20:07 2013] [error] [client 46.218.126.212] Premature end of script headers: index.php

Thanks, Steven

P.S.: For the curious among you, fraise tagada is a famous French sweet: https://en.wikipedia.org/wiki/Fraise_Tagada



98.9k

Hey Steven, nice candies :)

Regarding the issue, I'm not sure if your problem is really caused by Phalcon\Escaper, we have the following test running on Travis-CI:

https://github.com/phalcon/cphalcon/blob/master/php-tests/tests/Phalcon/Escaper/UnitTest.php#L37

It seems to be passing fine in 5.3.3/5.3/5.4:

https://www.travis-ci.org/phalcon/cphalcon https://www.travis-ci.org/phalcon/cphalcon/jobs/7209535#L1976 https://www.travis-ci.org/phalcon/cphalcon/jobs/7209537#L1991

Also, I've tested on Windows and it's working,

If you want I could access your system to check...



14.7k

Hi,

Thanks for pointing these tests out to me. And you're right, I don't have the issue on another box running Phalcon v 1.1.0 as well, using escapeHtml(). I'll update the list on this once I'll have found the issue.

Thanks, Steven



14.7k

Hi again,

I'm not getting there :/ The exact same "fraise tagada" code above works on one box with PHP 5.4.9:

/usr/sbin/php5-fpm -v
PHP 5.4.9-4ubuntu2 (fpm-fcgi) (built: Mar 11 2013 16:18:32)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.2.1, Copyright (c) 2002-2012, by Derick Rethans

And causes a segfault on another box with PHP 5.4.15:

/usr/bin/php5-cgi -v
PHP 5.4.15-1~dotdeb.1 (cgi-fcgi) (built: May 11 2013 19:55:28)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies

I set the apache log level to info and got this:

[Fri May 17 21:11:09 2013] [error] mod_fcgid: process /usr/lib/cgi-bin/php5(1480) exit(communication error), get unexpected signal 11

Both boxes have the same modules enabled, among which apc which I first suspected. But disabling apc didn't help. Admittedly, the 2 boxes are quite different as to their PHP/Apache setup but the same app worked on both until either I upgraded Phalcon or PHP (can't recall if the app was used after the PHP upgrade, sorry) on the box that's having the issue.

I noticed you're using PHP 5.4.13 on TravisCI. Would you mind giving it a try with PHP 5.4.15? If it bugs for you too, could you give me the exact internal php calls the method escapeHtml() does so I can report this back on php internals? Because if it bugs on one PHP version and not another, it's up to the PHP core team to fix it I guess...

Many thanks, Steven



98.9k

I added a fix in the 1.2.0 branch, can you check with that version?



14.7k

Hi,

Thanks for the follow-up!

I couldn't test your fix in the same conditions as when I had the segfault, because there was a production application on that same server that started segfaulting too. Thing is, that production app doesn't use the Phalcon Escaper. It started segfaulting on a controller load. So I had to revert the PHP version to PHP 5.3.3-7+squeeze15 with Suhosin-Patch (the standard PHP version for Debian Squeeze 6.0.6.

So, I've set up a small Debian 6.0.7 VM with the following:

[email protected]:~# apache2ctl -V
Server version: Apache/2.2.16 (Debian)
Server built:   Mar  3 2013 12:12:28
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   64-bit
Server MPM:     Worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/worker"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[email protected]:~# php5-cgi -v
PHP 5.4.15-1~dotdeb.1 (cgi-fcgi) (built: May 11 2013 19:55:28)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies

I had some compiler warnings when building Phalcon 1.2.0, including the escaper code:

 /home/steven/cphalcon/build/64bits/phalcon.c  -fPIC -DPIC -o .libs/phalcon.o
/home/steven/cphalcon/build/64bits/phalcon.c: In function ‘phalcon_escape_html’:
/home/steven/cphalcon/build/64bits/phalcon.c:7939: warning: passing argument 3 of ‘php_escape_html_entities’ from incompatible pointer type
/usr/include/php5/ext/standard/html.h:57: note: expected ‘size_t *’ but argument is of type ‘unsigned int *’
/home/steven/cphalcon/build/64bits/phalcon.c: In function ‘phalcon_exp_call_method’:
/home/steven/cphalcon/build/64bits/phalcon.c:10887: warning: passing argument 1 of ‘phalcon_start_with_str_str’ discards qualifiers from pointer target type
/home/steven/cphalcon/build/64bits/phalcon.c:7229: note: expected ‘char *’ but argument is of type ‘const char *’

I've setup the following code using the .htaccess and index.php from the Phalcon tutorial https://github.com/phalcon/tutorial on a standard Phalcon app directory layout: app/controllers/IndexController.php:

<?php

class IndexController extends \Phalcon\Mvc\Controller
{
        public function indexAction()
        {
                $e = new \Phalcon\Escaper;
                // exit('fraise tagada');
                exit($e->escapeHtml('fraise tagada'));
        }
}

This code does not segfault using Phalcon 1.2.0. The same code segfaults using Phalcon 1.1.0 on the very same setup.

I went a bit further and tested with the same PHP version (5.4.15) but as Apache module: It segfaults using Phalcon 1.1.0 It does not segfault using Phalcon 1.2.0

Although it seems you caught the bug, it doesn't really seemed to be related to the escaper code, although using that code reliably provokes the segfault ;)

Hope this helps you further improving a great framework!

Best, Steven

P.S.: Stumbled upon the same compiler warnings for Phalcon 1.1.0 as well:

 /home/steven/cphalcon/build/64bits/phalcon.c  -fPIC -DPIC -o .libs/phalcon.o
/home/steven/cphalcon/build/64bits/phalcon.c: In function ‘phalcon_escape_html’:
/home/steven/cphalcon/build/64bits/phalcon.c:7939: warning: passing argument 3 of ‘php_escape_html_entities’ from incompatible pointer type
/usr/include/php5/ext/standard/html.h:57: note: expected ‘size_t *’ but argument is of type ‘unsigned int *’
/home/steven/cphalcon/build/64bits/phalcon.c: In function ‘phalcon_exp_call_method’:
/home/steven/cphalcon/build/64bits/phalcon.c:10887: warning: passing argument 1 of ‘phalcon_start_with_str_str’ discards qualifiers from pointer target type
/home/steven/cphalcon/build/64bits/phalcon.c:7229: note: expected ‘char *’ but argument is of type ‘const char *’