PHP :: Bug #47701 :: print_r sends output when $return set to true if memory limit is reached

Bug #47701	print_r sends output when $return set to true if memory limit is reached
Submitted:	2009-03-18 02:37 UTC	Modified:	2009-03-21 23:37 UTC
From:	paul at paulmcgarry dot com	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	5.2.9	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2009-03-18 02:37 UTC] paul at paulmcgarry dot com

Description:
------------
This relates to Bug #47020 which I believe has incorrectly set to 
bogus.

I have been using print_r() while processing $errcontext in an error 
handling function, ie one registered with set_error_handler()

It seems that when print_r() hits the memory limit it exposes my 
entire error context to the user.

print_r having a failure mode where it exposes potentially private 
data to the user is a security issue.

If it can't be fixed easily then it should be documented.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-03-18 11:06 UTC] mmcnicklebugs at googlemail dot com

This has been fixed in CVS.

-- Martin McNickle

[2009-03-18 12:08 UTC] scottmac@php.net

Martin, where exactly is this fix?

I looked through the NEWS file and saw no entries.

[2009-03-18 23:25 UTC] felipe@php.net

Please, see bug #47020.

Thanks.

[2009-03-18 23:37 UTC] paul at paulmcgarry dot com

I mentioned 47020 in the first sentence of my initial report so 
referring me to it is hardly enlightening or productive and pretty 
much indicates you didn't bother to read the report at all (we are 
all no doubt time poor, so I understand the temptation!).

If this is bogus then please explain why.

Personally I cannot see how a failure mode that potentially exposes 
private data to the user can not be a genuine issue.

[2009-03-19 01:20 UTC] felipe@php.net

My mistake, Paul. Sorry.

[2009-03-21 23:11 UTC] jani@php.net

Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

[2009-03-21 23:12 UTC] jani@php.net

FYI: print_f / var_dump are for debugging ONLY..

[2009-03-21 23:14 UTC] jani@php.net

Uh..disregard my previous comment. 

This is still bogus. Add your comments to bug #47020 instead of 
reporting same thing twice..

[2009-03-21 23:37 UTC] paul at paulmcgarry dot com

I didn't submit the other bug and don't have a CVS account. As far as I can see that means I can't "Add your comments to bug #47020" so telling me to do so is pointless.

The original reporter of that bug _did_ add further detail and yet that bug still sits as bogus.

If this is bogus then please explain why. Don't just point to another bug that was marked as bogus with no reason given.

I'm sure you are busy, but this is all very disheartening from a bug reporters perspective.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 05 17:01:34 2025 UTC