Doctrine 1

Reimporting exported data-fixtures fails if they contain <? or <?php

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Critical Critical
  • Resolution: Won't Fix
  • Affects Version/s: 1.0.14, 1.1.4, 1.2.1
  • Fix Version/s: None
  • Component/s: Data Fixtures, File Parser
  • Labels:
    None

Description

In Doctrine_Parser::doLoad() the fixtures are included which will try to execute the file with the php-interpreter resulting in all unescapted code which starts with <? (if shorttags are on) or <?php being executed (as long as it is in one line and ends with ?>).
As long as the php-code is multi-lined the break after <? or <?php gets converted to \r\n which will create a parse-error and make it impossible to import the fixture:

build-all-reload - Are you sure you wish to drop your databases? (y/n)
y
build-all-reload - Successfully dropped database for connection named 'development'
build-all-reload - Generated models successfully from YAML schema
build-all-reload - Successfully created database for connection named 'development'
build-all-reload - Created tables successfully


Warning: Unexpected character in input:  '\' (ASCII=92) state=1 in /..../doctrine/data/fixtures/data.yml on line 9724

Call Stack:
    0.0003      72344   1. {main}() /.../scripts/doctrine-cli:0
    0.7356   14656192   2. Doctrine_Cli->run() /.../scripts/doctrine-cli:25
    0.7356   14656256   3. Doctrine_Cli->_run() /.../library/doctrine/1.2.1/lib/Doctrine/Cli.php:452
    0.7367   14666244   4. Doctrine_Cli->executeTask() /.../library/doctrine/1.2.1/lib/Doctrine/Cli.php:498
    0.7367   14666388   5. Doctrine_Task_BuildAllReload->execute() /.../library/doctrine/1.2.1/lib/Doctrine/Cli.php:516
    4.2097   22318416   6. Doctrine_Task_LoadData->execute() /.../library/doctrine/1.2.1/lib/Doctrine/Task/BuildAllReload.php:56
    4.2176   22318488   7. Doctrine_Core::loadData() /.../library/doctrine/1.2.1/lib/Doctrine/Task/LoadData.php:43
    4.2185   22357660   8. Doctrine_Data->importData() /.../library/doctrine/1.2.1/lib/Doctrine/Core.php:996
    4.2202   22472372   9. Doctrine_Data_Import->doImport() /.../library/doctrine/1.2.1/lib/Doctrine/Data.php:222
    4.2202   22472440  10. Doctrine_Data_Import->doParsing() /.../library/doctrine/1.2.1/lib/Doctrine/Data/Import.php:112
    4.2204   22488760  11. Doctrine_Parser::load() /.../library/doctrine/1.2.1/lib/Doctrine/Data/Import.php:95
    4.2204   22489152  12. Doctrine_Parser_Yml->loadData() /.../library/doctrine/1.2.1/lib/Doctrine/Parser.php:89
    4.2204   22489216  13. Doctrine_Parser->doLoad() /.../library/doctrine/1.2.1/lib/Doctrine/Parser/Yml.php:78

Parse error: syntax error, unexpected T_STRING in /.../data/fixtures/data.yml on line 9724

Call Stack:
    0.0003      72344   1. {main}() /.../scripts/doctrine-cli:0
    0.7356   14656192   2. Doctrine_Cli->run() /.../scripts/doctrine-cli:25
    0.7356   14656256   3. Doctrine_Cli->_run() /.../library/doctrine/1.2.1/lib/Doctrine/Cli.php:452
    0.7367   14666244   4. Doctrine_Cli->executeTask() /.../library/doctrine/1.2.1/lib/Doctrine/Cli.php:498
    0.7367   14666388   5. Doctrine_Task_BuildAllReload->execute() /.../library/doctrine/1.2.1/lib/Doctrine/Cli.php:516
    4.2097   22318416   6. Doctrine_Task_LoadData->execute() /.../library/doctrine/1.2.1/lib/Doctrine/Task/BuildAllReload.php:56
    4.2176   22318488   7. Doctrine_Core::loadData() /.../library/doctrine/1.2.1/lib/Doctrine/Task/LoadData.php:43
    4.2185   22357660   8. Doctrine_Data->importData() /.../library/doctrine/1.2.1/lib/Doctrine/Core.php:996
    4.2202   22472372   9. Doctrine_Data_Import->doImport() /.../library/doctrine/1.2.1/lib/Doctrine/Data.php:222
    4.2202   22472440  10. Doctrine_Data_Import->doParsing() /.../library/doctrine/1.2.1/lib/Doctrine/Data/Import.php:112
    4.2204   22488760  11. Doctrine_Parser::load() /.../library/doctrine/1.2.1/lib/Doctrine/Data/Import.php:95
    4.2204   22489152  12. Doctrine_Parser_Yml->loadData() /.../library/doctrine/1.2.1/lib/Doctrine/Parser.php:89
    4.2204   22489216  13. Doctrine_Parser->doLoad() /.../library/doctrine/1.2.1/lib/Doctrine/Parser/Yml.php:78

That can happen with unescapted <?xml too if short-tags are active and result in parse-error.

A way to load fixtures without running it through the php-interpreter would be nice or the <? needs to be escaped on export and unescaped on import.

Checked with version 1.2.1, 1.1.4 and 1.0.14, all versions share this code.

This "bug" can probably get a bit ugly in the raw case that a persons is using that dump-feature with something like 

<?php system('rm -rf /'); ?>

anywhere in the database.
As long as the code is in one line there aren't any \r\n added and it will get executed without.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jonathan H. Wage added a comment -

I think this is somewhat expected. As I have stressed in the past. Dumping data fixtures from the database can never work 100%. The idea is that you dump to get started, then modify the dumped fixtures so that they will re-import properly. If you have a suggested fix/patch please feel free to share and re-open.

Show
Jonathan H. Wage added a comment - I think this is somewhat expected. As I have stressed in the past. Dumping data fixtures from the database can never work 100%. The idea is that you dump to get started, then modify the dumped fixtures so that they will re-import properly. If you have a suggested fix/patch please feel free to share and re-open.
Hide
Permalink
Jannis Mosshammer added a comment -

I modified the doLoad() function to not use include but file_get_contents and the import of some critical fields (which contained xml data as well as raw php data) worked fine.

But honestly, I've got the feeling that I haven't really understood why the yaml load is done via including the file and saving the output buffer - so maybe I'm missing the big picture.
My altered version of the doLoad function looks like this:

Unable to find source-code formatter for language: php. Available languages are: actionscript, html, java, javascript, none, sql, xhtml, xml
abstract class Doctrine_Parser
{
    ...
    /**
     * doLoad
     *
     * Get contents whether it is the path to a file file or a string of txt.
     * Either should allow php code in it.
     *
     * @param string $path 
     * @return void
     */
    public function doLoad($path)
    {
        //ob_start();
        if ( ! file_exists($path)) {
            $contents = $path;
            $path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'dparser_' . microtime();

            file_put_contents($path, $contents);
        }

	    $contents = file_get_contents($path);
        /*include($path);
        // Fix #1569. Need to check if it's still all valid
        $contents = ob_get_clean(); //iconv("UTF-8", "UTF-8", ob_get_clean());
		*/
        return $contents;
    }
    ...
}
Show
Jannis Mosshammer added a comment - I modified the doLoad() function to not use include but file_get_contents and the import of some critical fields (which contained xml data as well as raw php data) worked fine. But honestly, I've got the feeling that I haven't really understood why the yaml load is done via including the file and saving the output buffer - so maybe I'm missing the big picture. My altered version of the doLoad function looks like this: Unable to find source-code formatter for language: php. Available languages are: actionscript, html, java, javascript, none, sql, xhtml, xml abstract class Doctrine_Parser { ... /** * doLoad * * Get contents whether it is the path to a file file or a string of txt. * Either should allow php code in it. * * @param string $path * @ return void */ public function doLoad($path) { //ob_start(); if ( ! file_exists($path)) { $contents = $path; $path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'dparser_' . microtime(); file_put_contents($path, $contents); } $contents = file_get_contents($path); /*include($path); // Fix #1569. Need to check if it's still all valid $contents = ob_get_clean(); //iconv( "UTF-8" , "UTF-8" , ob_get_clean()); */ return $contents; } ... }

People

  • Assignee:
    Jonathan H. Wage
    Reporter:
    Benjamin Steininger
Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: