Skip to content

fix: disallow string callables #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 23, 2022
Merged

fix: disallow string callables #53

merged 2 commits into from
May 23, 2022

Conversation

ramsey
Copy link
Contributor

@ramsey ramsey commented May 23, 2022

Description

We've encountered some cases where the string values "max," "floor," and "tan" were passed as values to replace placeholders in formatted messages. However, since we were doing an is_callable() check on the strings, and PHP has functions with these names, FormatPHP was attempting to call the functions instead of treating them as strings that should replace the placeholders.

Since we should never call a function that is potentially provided from user input, we will disallow the use of string callables. Only array callables and Closures are allowed.

Product requirements and context

How has this been tested?

PR Checklist

  • I have added tests to cover my changes.

@ramsey ramsey marked this pull request as ready for review May 23, 2022 18:39
@ramsey ramsey requested review from jrode, chrisl-13 and tcarrio May 23, 2022 18:41
@qlty-cloud-legacy
Copy link

Code Climate has analyzed commit a282d76 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (80% is the threshold).

This pull request will bring the total coverage in the repository to 97.6% (0.0% change).

View more on Code Climate.

@ramsey ramsey merged commit 4ded2e2 into main May 23, 2022
@ramsey ramsey deleted the string-callable-bug branch May 23, 2022 19:16
jrode
jrode reviewed May 23, 2022
View reviewed changes
tests/Intl/MessageFormatTest.php
public function testStringsMustNotEvaluateAsCallables(): void
{
$message = 'Hello, {firstName} {lastName}!';
$expected = 'Hello, Ceil Floor!';
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👋 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tcarrio tcarrio Awaiting requested review from tcarrio

2 more reviewers

@jrode jrode jrode left review comments

@chrisl-13 chrisl-13 chrisl-13 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ramsey @jrode @chrisl-13