php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48601 xpath() returns FALSE for legitimate query
Submitted: 2009-06-19 10:57 UTC Modified: 2012-07-08 11:58 UTC
Votes:6
Avg. Score:2.7 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:2 (33.3%)
From: theultramage at gmail dot com Assigned: rrichards
Status: Closed Package: SimpleXML related
PHP Version: 5.4SVN OS: Windows Vista
Private report: No CVE-ID:
 [2009-06-19 10:57 UTC] theultramage at gmail dot com
Description:
------------
SimpleXML's xpath() implementation contains code that returns FALSE for some queries where it should be returning an empty container object.

In revision 1.79 of simplexml.c (http://cvs.php.net/viewvc.cgi/php-src/ext/simplexml/simplexml.c?r1=1.78&r2=1.79) the call to xmlXPathEval() was hotfixed to avoid crashing if the query errored. However, the author also added a check against "retval->nodesetval", treating NULL as an error situation. I believe this was an incorrect decision.

There is a scenario where 'nodesetval' will be NULL - when querying for the attribute of a non-matching element ('/foo/@attr' when there are no 'foo' nodes); in all other 'bad' queries that I tried, 'nodesetval' came initialized and containing zero nodes. So, we can see that for certain queries, simplexml will give an incorrect result. This was already pointed out on 18-dec-2005 by an user comment on the php simplexml::xpath documentation page.

I have sent an inquiry to the xml mailing list (http://mail.gnome.org/archives/xml/2009-June/msg00019.html) asking for clarification, however I believe that the current logic is incorrect. I checked php's DOM module src and libxml's xpath1.c code example, and they do not consider it a problem (DOM initializes empty DOMNodeList, example sets count to 0).

Alternatively, the code should not be messing with what is apparently internal structures, and instead use the API for processing, if one is available.

Reproduce code:
---------------
<?php
	$xml = '<?xml version="1.0" encoding="utf-8"?><dummy/>';
	$db = new SimpleXMLElement($xml);
	if( FALSE !== $db->xpath("/foo/@attr") )
		echo "OK";
	else
		echo "Error!";
?>

Expected result:
----------------
xpath() should return an empty array.

Actual result:
--------------
xpath() returns FALSE.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-24 16:13 UTC] theultramage at gmail dot com
From the mail of the main libxml developer (http://mail.gnome.org/archives/xml/2009-June/msg00040.html):

> A NULL object or an empty node set should be treated in the same way.
Also
>There is no iterator API.

So for one part, the current SimpleXML code has a bug because it does not handle the NULL value correctly (should return empty array, not FALSE). And second, there's currently no other solution.
 [2010-05-05 13:40 UTC] rrichards@php.net
Automatic comment from SVN on behalf of rrichards
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=299016
Log: fix bug #48601 (xpath() returns FALSE for legitimate query)
add test
 [2010-05-05 13:42 UTC] rrichards@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: rrichards
 [2010-05-05 13:42 UTC] rrichards@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-08-01 03:21 UTC] stas@php.net
-Status: Closed +Status: Re-Opened -PHP Version: 6CVS-2009-06-19 (snap) +PHP Version: 5.4SVN
 [2011-08-01 03:21 UTC] stas@php.net
Looks like it still happens for me - the unit test fails and the function returns 
false.
 [2011-08-31 11:44 UTC] chregu@php.net
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=315883
Log: simplexml-&gt;query returns empty array if no nodes were found
and false if libxml thinks the xpath-expression was invalid.
Behaves now the same like DomXPath and fixes Bug #48601
Adjusted a test to reflect that change
 [2011-09-01 13:42 UTC] chregu@php.net
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=315990
Log: Merge from Trunk
simplexml-&gt;query returns empty array if no nodes were found
and false if libxml thinks the xpath-expression was invalid.
Behaves now the same like DomXPath and fixes Bug #48601
Adjusted a test to reflect that change
 [2011-12-22 08:56 UTC] me at ktamura dot com
I believe this has indeed been fixed.
 [2012-07-08 11:58 UTC] theultramage at gmail dot com
-Status: Re-Opened +Status: Closed
 [2012-07-08 11:58 UTC] theultramage at gmail dot com
Yes, at least with current versions (5.4.3 / 5.3.14) this issue no longer occurs.
 [2012-08-05 21:22 UTC] johnkary at gmail dot com
It's not clear exactly which 5.3 release this bug was actually fixed in. I believe 
I am still encountering this bug in 5.3.8 (on my production server) but do not 
encounter it with the same code in 5.3.14 (on my dev machine). This was made 
evident from actual PHP code I wrote using an XPath query. I have not run the core 
unit tests to confirm this.

Just adding notes here about affected versions for those that come across this bug 
report in the future.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC