Methods have different return types than their PHPDoc suggest #1471
Comments
The DocBlock comments do indeed need to be improved. Unfortunately, that's not really my highest priority. Right now I'm working on the documentation for v3.0. If someone wants to do a PR for the return types they're very welcome to do so. As I noted in your PR you're proposed fix is problematic because throwing exceptions in the 2.0 branch would be a PR break. So here's what I'll do. In the 1.0 / 2.0 branches I'll add a line to return false if In the 3.0 / master branches I'll look for more |
|
Looking at the code (1.0) it is not clear to me how
$payload = $this->_string_shift($raw, $packet_length - $padding_length - 1);Here's the definition of /**
* String Shift
*
* Inspired by array_shift
*
* @param string $string
* @param int $index
* @return string
* @access private
*/
function _string_shift(&$string, $index = 1)
{
$substr = substr($string, 0, $index);
$string = substr($string, $index);
return $substr;
}So apparently Tracing through the code I don't see if (strlen($raw) < 5) {
return false;
}The next operation on if (strlen($buffer)) {
$raw.= $this->decrypt !== false ? $this->decrypt->decrypt($buffer) : $buffer;
}If $buffer = '';
while ($remaining_length > 0) {
$temp = fread($this->fsock, $remaining_length);
if ($temp === false || feof($this->fsock)) {
$this->bitmap = 0;
user_error('Error reading from socket');
return false;
}
$buffer.= $temp;
$remaining_length-= strlen($temp);
}The next operation on $payload = $this->_string_shift($raw, $packet_length - $padding_length - 1);So we already know it's of the appropriate length. But even if it wasn't, I still don't see how I'm all for "defensive programming" (indeed, that's why I do some of the length checks that I do) but there is such a thing as paranoid redundancy, as well. eg. $a = (int) $_GET['a'];
if (!is_numeric($a)) {
throw new \Exception('$a must be an integer');
}In that example that I'll look into adding more exceptions for the 3.0 / master branch but at this point I'm thinking I won't make What version of PHP are you running, out of curiosity? The latest 2.0 version of phpseclib? |
|
I am running the latest 2.0 version of phpseclib with PHP 7.4. I will try to get to this asap, but it could take some time. Sorry. |
#1473 addresses this. |
This line causes a notice (
Trying to access array offset on value of type bool) and is not developed defensively enough:phpseclib/phpseclib/Net/SSH2.php
Line 3471 in 34620af
The switch case above that line provides multiple cases where there is not 'return' to abort method execution.
In those switch cases, there are call so
\phpseclib\Net\SSH2::_get_binary_packet()which internally also calls\phpseclib\Net\SSH2::_filter(). Both of these methods falsely advertise that their return type is astringwhen they multiple instances boolean returns in their method body.The real problem therefore is burried in the wrong return types of the two methods mentioned above.
I see that
\phpseclib\Net\SSH2::_filter()is only called from\phpseclib\Net\SSH2::_get_binary_packet()so changing_filter()should be an easy fix.\phpseclib\Net\SSH2::_get_binary_packet()on the other hand relies on returning false.I'll try to address that in a PR, but since I am not very familier with SFTP, I am not sure, I will get this right without your help.
The text was updated successfully, but these errors were encountered: