{"id":1384,"date":"2013-03-06T22:36:02","date_gmt":"2013-03-06T21:36:02","guid":{"rendered":"http:\/\/blog.benny-baumann.de\/?p=1384"},"modified":"2013-03-08T01:51:04","modified_gmt":"2013-03-08T00:51:04","slug":"zero-is-too-large","status":"publish","type":"post","link":"https:\/\/blog.benny-baumann.de\/?p=1384","title":{"rendered":"Zero is too large!"},"content":{"rendered":"

Welcome to our new series of strange bugs. Today we’ve got a brand new candidate called emptyness which is a really great star on the floor of PHP bugs. I was being stumbled upon this one by Thomas Puls who mailed me about the fact, that if you highlight a single 0 with GeSHi, it magically disappears.<\/p>\n

At first thought there are two major issues that might come into play here. The first possibility might be an misguided internal parsing rule which I excluded from being the cause by the fact that there was more to the report, namely the instructions on howto reproduce.<\/p>\n

If you have visited the GeSHi website<\/a> you might know the small demo page<\/a> where you can test out GeSHi to your hearts content. Unfortunately noone anticipated that some easy source like<\/p>\n

0<\/pre>\n
was simply to big to fail – well, somehow it did so anyway:<\/p>\n
There was an error. For large sources this might be caused due to a security limit of this server. For stuff larger than 1MB use file upload.<\/p><\/blockquote>\n
Yeah, you’re right: That’s exactly ONE character there – ASCII 48 to be precise – that’s causing an „Input too large“ error message. So seeing an error message the natural thought is: Something is wrong!<\/p>\n
Let’s get things sorted out. If you follow the flow of information on the demo page you’ll notice that the demo.php submits data to the php_highlighter.php which does all the interfacing work. As a bug in the connection between browser and the script seems a bit awkward the starting place is the part of the script where the parameters are retrieved from the client. This is done quite straight forward with source like this:<\/p>\n
\r\n\/\/ Are there errors to output?\r\nif ( !empty($_POST['url']) )\r\n{\r\n        if (substr($_POST['url'], 0, 7) != 'http:\/\/') {\r\n                exit;\r\n        }\r\n        $code = file_get_contents($_POST['url']);\r\n}\r\nif ( empty($_POST['source']) && ($_FILES['file']['error'] == UPLOAD_ERR_NO_FILE) && ($code == '') && ( !$_POST['source_id'] ) )\r\n{\r\n        $geshi_error = true;\r\n}\r\n\r\nif ( $geshi_error )\r\n{\r\n        die('There was an error. For large sources this might be caused due to a security limit of this server. For stuff larger than 1MB use file upload.');\r\n}\r\n\r\nif ( !empty( $_POST['source'] ) )\r\n{\r\n        $source = $_POST['source'];\r\n}\r\nelseif ( $_FILES['file']['size'] != 0 )\r\n{\r\n        $source = file_get_contents($_FILES['file']['tmp_name']);\r\n}\r\nelseif ( $_POST['source_id'] )\r\n{\r\n        $id = abs(intval($_POST['source_id']));\r\n        $sql = \"SELECT source FROM geshi_highlight_data\r\n                WHERE id = $id\";\r\n        if ( !$result = $db->query($sql) )\r\n        {\r\n                $db->DbDie(mysql_error(), $sql, __LINE__, __FILE__);\r\n        }\r\n        $row = $db->fetchrow($result);\r\n        $source = $row['source'];\r\n}\r\nelse\r\n{\r\n        \/\/ URL upload\r\n        $source = $code;\r\n}\r\n<\/pre>\n
Having a closer look you hopefully spotted the following lines:<\/p>\n
\r\n\/\/ Are there errors to output?\r\nif ( !empty($_POST['url']) )\r\n{\r\n        if (substr($_POST['url'], 0, 7) != 'http:\/\/') {\r\n                exit;\r\n        }\r\n        $code = file_get_contents($_POST['url']);\r\n}\r\nif ( empty($_POST['source']) && ($_FILES['file']['error'] == UPLOAD_ERR_NO_FILE) && ($code == '') && ( !$_POST['source_id'] ) )\r\n{\r\n        $geshi_error = true;\r\n}\r\n\r\nif ( $geshi_error )\r\n{\r\n        die('There was an error. For large sources this might be caused due to a security limit of this server. For stuff larger than 1MB use file upload.');\r\n}\r\n\r\nif ( !empty( $_POST['source'] ) )\r\n{\r\n        $source = $_POST['source'];\r\n}\r\nelseif ( $_FILES['file']['size'] != 0 )\r\n{\r\n        $source = file_get_contents($_FILES['file']['tmp_name']);\r\n}\r\nelseif ( $_POST['source_id'] )\r\n{\r\n        $id = abs(intval($_POST['source_id']));\r\n        $sql = \"SELECT source FROM geshi_highlight_data\r\n                WHERE id = $id\";\r\n        if ( !$result = $db->query($sql) )\r\n        {\r\n                $db->DbDie(mysql_error(), $sql, __LINE__, __FILE__);\r\n        }\r\n        $row = $db->fetchrow($result);\r\n        $source = $row['source'];\r\n}\r\nelse\r\n{\r\n        \/\/ URL upload\r\n        $source = $code;\r\n}\r\n<\/pre>\n
How many of you have spotted the issue by now? If you didn’t you should restart your PHP beginner’s manual – or read the fine documentation<\/a>. \ud83d\ude09<\/p>\n
To correct the problem the best way is to check against the empty string explicitly here which changes the code to look like the following snippet:<\/p>\n
\r\n\/\/ Are there errors to output?\r\nif ( !empty($_POST['url']) )\r\n{\r\n        if (substr($_POST['url'], 0, 7) != 'http:\/\/') {\r\n                exit;\r\n        }\r\n        $code = file_get_contents($_POST['url']);\r\n}\r\nif ( ('' == $_POST['source']) && ($_FILES['file']['error'] == UPLOAD_ERR_NO_FILE) && ($code == '') && ( !$_POST['source_id'] ) )\r\n{\r\n        $geshi_error = true;\r\n}\r\n\r\nif ( $geshi_error )\r\n{\r\n        die('There was an error. For large sources this might be caused due to a security limit of this server. For stuff larger than 1MB use file upload.');\r\n}\r\n\r\nif ( '' != $_POST['source'] )\r\n{\r\n        $source = $_POST['source'];\r\n}\r\nelseif ( $_FILES['file']['size'] != 0 )\r\n{\r\n        $source = file_get_contents($_FILES['file']['tmp_name']);\r\n}\r\nelseif ( $_POST['source_id'] )\r\n{\r\n        $id = abs(intval($_POST['source_id']));\r\n        $sql = \"SELECT source FROM geshi_highlight_data\r\n                WHERE id = $id\";\r\n        if ( !$result = $db->query($sql) )\r\n        {\r\n                $db->DbDie(mysql_error(), $sql, __LINE__, __FILE__);\r\n        }\r\n        $row = $db->fetchrow($result);\r\n        $source = $row['source'];\r\n}\r\nelse\r\n{\r\n        \/\/ URL upload\r\n        $source = $code;\r\n}\r\n<\/pre>\n
Having the interface working right and now even accepting the single zero as an input let’s move on to the next level – since as to be expected this didn’t fix the problem \ud83d\ude09<\/p>\n
The next piece of code that is called by php_highlighter.php is the constructor of the GeSHi object doing all the actual highlighting work passing to it the – now valid – value of $source. The code there looks like this:<\/p>\n
\r\n    \/**\r\n     * Creates a new GeSHi object, with source and language\r\n     *\r\n     * @param string The source code to highlight\r\n     * @param string The language to highlight the source with\r\n     * @param string The path to the language file directory. <b>This\r\n     *               is deprecated!<\/b> I've backported the auto path\r\n     *               detection from the 1.1.X dev branch, so now it\r\n     *               should be automatically set correctly. If you have\r\n     *               renamed the language directory however, you will\r\n     *               still need to set the path using this parameter or\r\n     *               {@link GeSHi->set_language_path()}\r\n     * @since 1.0.0\r\n     *\/\r\n    function GeSHi($source = '', $language = '', $path = '') {\r\n        if (!empty($source)) {\r\n            $this->set_source($source);\r\n        }\r\n        if (!empty($language)) {\r\n            $this->set_language($language);\r\n        }\r\n        $this->set_language_path($path);\r\n    }\r\n<\/pre>\n
With a small change in the constructor even the demo page now works properly:<\/p>\n
\r\n    \/**\r\n     * Creates a new GeSHi object, with source and language\r\n     *\r\n     * @param string The source code to highlight\r\n     * @param string The language to highlight the source with\r\n     * @param string The path to the language file directory. <b>This\r\n     *               is deprecated!<\/b> I've backported the auto path\r\n     *               detection from the 1.1.X dev branch, so now it\r\n     *               should be automatically set correctly. If you have\r\n     *               renamed the language directory however, you will\r\n     *               still need to set the path using this parameter or\r\n     *               {@link GeSHi->set_language_path()}\r\n     * @since 1.0.0\r\n     *\/\r\n    function GeSHi($source = '', $language = '', $path = '') {\r\n        if ('' != $source) {\r\n            $this->set_source($source);\r\n        }\r\n        if ('' != $language) {\r\n            $this->set_language($language);\r\n        }\r\n        $this->set_language_path($path);\r\n    }\r\n<\/pre>\n
Remember: ‚0‘ can be quite large source and leave your page feel kinda empty. \ud83d\ude09<\/p>\n
\"Flattr<\/a><\/p>","protected":false},"excerpt":{"rendered":"
Welcome to our new series of strange bugs. Today we’ve got a brand new candidate called emptyness which is a really great star on the floor of PHP bugs. I was being stumbled upon this one by Thomas Puls who mailed me about the fact, that if you highlight a single 0 with GeSHi, it […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[3],"tags":[14,98,347,345,13,21],"class_list":["post-1384","post","type-post","status-publish","format-standard","hentry","category-geshi","tag-bugs","tag-developement","tag-fun","tag-geshi","tag-patch","tag-php"],"_links":{"self":[{"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=\/wp\/v2\/posts\/1384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1384"}],"version-history":[{"count":7,"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=\/wp\/v2\/posts\/1384\/revisions"}],"predecessor-version":[{"id":1391,"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=\/wp\/v2\/posts\/1384\/revisions\/1391"}],"wp:attachment":[{"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.benny-baumann.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}