View Issue Details

IDProjectCategoryView StatusLast Update
0001194Xdebugpublic2016-08-01 20:30
Reporterrubinlinux Assigned Toderick  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Platformx86_64OSLinuxOS VersionDebian 7 and 8
Product Version2.2.5 
Fixed in Version2.4.0rc2 
Summary0001194: When catching assert() from php, error message is html-encoded twice, resulting in unreadable text
Description

When xdebug intercepts assert() warnings from PHP, they can contain an optional message field. This message field is passed into the message part of the top of the stack trace when xdebug prints it (html version).

However, if any special characters such as quotes, ampersands etc appear in the message, they are encoded twice instead of once. This results in the browser showing the encoding, instead of the character intended

Steps To Reproduce

I have a simple apache/modphp install with xdebug enable, error reporting enabled etc.

Viewing a web page whose code is:

assert(0, "TEST&TEST");

xdebug incorrectly prints:

...Warning: assert(): TEST&TEST failed in...

It should print:
...Warning: assert(): TEST&TEST failed in....

This is also true for other html special chars such as quote (") and less-than (<).

Additional Information

When xdebug_disable() is called before the assert(), PHP prints the standard non-stack based html error message with the message correctly encoded only once.

When xdebug_print_function_stack("TEST&TEST") is called, the message is correctly encoded only once.

I suspect PHP is passing the message pre-encoded to xdebug, where it is being encoded again by line 276 of xdebug_stack.c

TagsNo tags attached.
Operating SystemDebian 7 and 8
PHP Version5.6.10-5.6.14

Activities

rubinlinux

2015-11-05 22:05

reporter   ~0003204

Note, mantis is apparently also decoding html encodings, making my post a bit different than intended.

derick

2015-11-23 16:04

administrator   ~0003257

Fixed for 2.4.0. Thanks for your report!

rubinlinux

2015-11-24 19:25

reporter   ~0003265

Hi Derick,

Thanks so much for working on this.

I fear the patch (https://github.com/xdebug/xdebug/commit/7d9f78c800f8714bbb40b0df003dbdd41acb96fc) may be incomplete.

I suspect strongly that lots of other cases besidse assert() itself are also pre-enecoded. For example I note that a pg_query() call can error if there is an error in the SQL, and the SQL will be double-encoded as well.

I know this makes it a lot more complicated :( I'm not sure how to tell in a more generic sense which error cases would have encoded their content or not.

derick

2015-12-01 21:14

administrator   ~0003275

The problem is, I have no way to tell either :-/

derick

2015-12-15 21:38

administrator   ~0003351

I'm going to change this to resolved. If something in the future pops up (i.e., somebody complains) I can have another look.

Issue History

Date Modified Username Field Change
2015-11-05 22:02 rubinlinux New Issue
2015-11-05 22:05 rubinlinux Note Added: 0003204
2015-11-20 17:52 derick Target Version => 2.4.1
2015-11-20 17:52 derick Steps to Reproduce Updated
2015-11-23 16:04 derick Note Added: 0003257
2015-11-23 16:04 derick Status new => closed
2015-11-23 16:04 derick Assigned To => derick
2015-11-23 16:04 derick Resolution open => fixed
2015-11-23 16:04 derick Fixed in Version => 2.4.0
2015-11-24 19:25 rubinlinux Note Added: 0003265
2015-11-24 19:25 rubinlinux Status closed => feedback
2015-11-24 19:25 rubinlinux Resolution fixed => reopened
2015-12-01 21:14 derick Note Added: 0003275
2015-12-07 11:32 derick Fixed in Version 2.4.0 => 2.4.0rc2
2015-12-15 21:38 derick Note Added: 0003351
2015-12-15 21:38 derick Status feedback => resolved
2015-12-15 21:38 derick Resolution reopened => fixed
2016-07-31 12:35 derick Category Debug client (console) => debugclient (debugging tool)
2016-07-31 12:35 derick Category debugclient (debugging tool) => (No Category)
2016-08-01 20:29 derick Target Version 2.4.1 => 2.4.2
2016-08-01 20:30 derick Target Version 2.4.2 =>