Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

function escapeUrl accept only string #20

Closed
ikac5 opened this issue Jun 25, 2021 · 17 comments
Closed

function escapeUrl accept only string #20

ikac5 opened this issue Jun 25, 2021 · 17 comments
Assignees
@Ocramius
Labels
BC Break Bug Something isn't working Invalid This doesn't seem right

Comments

@ikac5
Copy link

ikac5 commented Jun 25, 2021

Bug Report

Can't view any product in magento in admin panel

Summary

Current behavior

TypeError: rawurlencode() expects parameter 1 to be string, int given in /var/www/vhosts/wag.ls/html/vendor/laminas/laminas-escaper/src/Escaper.php:246

How to reproduce

Expected behavior
@ikac5 ikac5 added the Bug Something isn't working label Jun 25, 2021
@maglnet
Copy link

maglnet commented Jun 25, 2021
edited
Loading

It seems like a similar problem happens for escapeHtmlAttr, escapeJs and escapeCss after declare(strict_types=1); was introduced in 2.7.1 yesterday.

@Ocramius
Copy link
Member

Ocramius commented Jun 25, 2021 via email

@oburk
Copy link

oburk commented Jun 25, 2021

I can confirm this bug. I got the following PHP warnings after update from laminas/laminas-escaper version 2.7.0 to 2.7.1

[25-Jun-2021 11:49:32 Europe/Berlin] TypeError: preg_match() expects parameter 2 to be string, int given in /backend/vendor/laminas/laminas-escaper/src/Escaper.php:403
#0 /backend/vendor/laminas/laminas-escaper/src/Escaper.php(403): preg_match('/^./su', 1045)
#1 /backend/vendor/laminas/laminas-escaper/src/Escaper.php(371): Laminas\Escaper\Escaper->isUtf8(1045)
#2 /backend/vendor/laminas/laminas-escaper/src/Escaper.php(204): Laminas\Escaper\Escaper->toUtf8(1045)
#3 /backend/lib/Base/Helper/String.php(2202): Laminas\Escaper\Escaper->escapeHtmlAttr(1045)

@Ocramius
Copy link
Member

Ocramius commented Jun 25, 2021 via email

@oburk
Copy link

oburk commented Jun 25, 2021

I agree it is not a technical bug, but it is not common to change function behavior inside a patch release.

@maglnet
Copy link

maglnet commented Jun 25, 2021
edited
Loading

Well, yes.
Nevertheless looking into the code, there was additional handling for digits as well (the ctype_digit check).

laminas-escaper/src/Escaper.php

Lines 205 to 207 in 77c248d

if ($string === '' || ctype_digit($string)) {
return $string;
}

@Ocramius
Would there be chances to allow getting integers to work again by providing a MR, or wouldn't you accept this?

@Ocramius
Copy link
Member

Ocramius commented Jun 25, 2021 via email

@maglnet
Copy link

maglnet commented Jun 25, 2021

Ok, I'm fine with it 👍 but not happy :-D

@gntlby
Copy link

gntlby commented Jun 25, 2021

I can't see the products on both the frontend and the admin panel.

TypeError: rawurlencode() expects parameter 1 to be string, bool given in /vendor/laminas/laminas-escaper/src/Escaper.php:246

@Ocramius
Copy link
Member

Ocramius commented Jun 25, 2021
edited
Loading

Closing here: please refer to your stack trace, and find the first occurrence of a call to the Escaper that comes from a component that is not passing it a string.

The API signature states that only strings should be passed in.

This string signature exists in laminas/laminas-escaper since 2.0.0-beta5 (its initial introduction): https://github.com/zendframework/zendframework/blob/18c8e223f070deb07c17543ed938b54542aa0ed8/library/Zend/Escaper/Escaper.php#L196-L199

That is from 2012-07-04, which is 9 years ago.

no release allowed for int to be explicitly passed in.

@Ocramius Ocramius self-assigned this Jun 25, 2021
@Ocramius Ocramius added BC Break Invalid This doesn't seem right labels Jun 25, 2021
@Blaimi
Copy link

Blaimi commented Jun 25, 2021

issued in magento as magento/magento2#33346 with a fix in PR magento/magento2#33353.

@Ocramius Ocramius mentioned this issue Jun 25, 2021
Closed
@hostep
Copy link

hostep commented Jun 25, 2021

@Ocramius: thanks for linking to this issue, I didn't see it before because it was already closed.

Should we at least keep it open and have a further discussion about this?

Would be great if we can remove the declare(strict_types=1); additions of version 2.7.1 and release a new 2.7. 2 version.
You can add declare(strict_types=1); later again in version 3.0.0

This package is part of a framework, you should try to do your best to not cause backwards compatible breaking changes if possible.
And yes having declare(strict_types=1); is nice, but not at the cost of the users of your framework to cause them headaches in minor or patch version upgrades. Even if those users of your framework are calling the methods with incorrectly typed parameters.

/cc @weierophinney, @ghostwriter

@weierophinney
Copy link
Member

@hostep see #21 (comment)

@Ocramius
Copy link
Member

This package is part of a framework, you should try to do your best to not cause backwards compatible breaking changes if possible.

This package was never compatible with non-string input: that is an accident, not a BC compliance surface.

BC compliance is all fine (I literally made a whole talk about it, and wrote tooling to check it), but it is limited to what is considered acceptable usage.

@pcGarethJames
Copy link

This package was never compatible with non-string input: that is an accident, not a BC compliance surface.

Accident or not it was still compatible with non-string values, and was also not enforcing types either so surely any change to rectify that accident would be a BC breaking change, regardless of any amount documentation/history to that function?

I agree these things need to be enforced, and that Magento needs to sort its side out, but I agree with @hostep that this should be a major change, not a patch.

@ProxiBlue ProxiBlue mentioned this issue Jun 26, 2021
Closed
1 task
This was referenced Jun 26, 2021
Closed
Closed
This was referenced Jun 26, 2021
Closed
Merged
@griesi007 griesi007 mentioned this issue Jul 1, 2021
Closed
This was referenced Jul 5, 2021
Closed
Closed
@WillyBaldy
Copy link

Accident or not it was still compatible with non-string values, and was also not enforcing types either so surely any change to rectify that accident would be a BC breaking change, regardless of any amount documentation/history to that function?

Totally agree, I really think that adding declare(strict_types=1); in source code for a minor release is highly risky, there's so much side effects possible especially in a framework. The argument that the signatures were documented in such a way since the beginning of time is great in theory, but tell that to my test units :-D

@Ocramius
Copy link
Member

tell that to my test units :-D

You evidently have some properly invalid scenarios in there.

I'm closing + locking here - the chapter is closed, and specified types are not an opinion.

@laminas laminas locked as resolved and limited conversation to collaborators Jul 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Ocramius Ocramius

Labels
BC Break Bug Something isn't working Invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@weierophinney @hostep @Ocramius @Blaimi @WillyBaldy @maglnet @oburk @gntlby @pcGarethJames @ikac5