r78046 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r78045‎ \| r78046 \| r78047 >
Date:	05:57, 8 December 2010
Author:	tstarling
Status:	ok (Comments)
Tags:
Comment:	Fix for r69139: create_function() is not allowed.
Modified paths:	/trunk/phase3/includes/DjVuImage.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/DjVuImage.php
—	—	@@ -266,10 +266,7 @@
267	267	\| # Or page can be empty ; in this case, djvutxt dumps ()
268	268	$\s*()$/sx
269	269	EOR;
270		~~- $txt = preg_replace_callback( $reg,~~
271		~~- create_function('$matches', 'return \'<PAGE value="\'.htmlspecialchars($matches[1]).\'" />\';'),~~
272		~~- $txt );~~
273		-
	270	+ $txt = preg_replace_callback( $reg, array( $this, 'pageTextCallback' ), $txt );
274	271	$txt = "<DjVuTxt>\n<HEAD></HEAD>\n<BODY>\n" . $txt . "</BODY>\n</DjVuTxt>\n";
275	272	$xml = preg_replace( "/<DjVuXML>/", "<mw-djvu><DjVuXML>", $xml );
276	273	$xml = $xml . $txt. '</mw-djvu>' ;
—	—	@@ -278,6 +275,10 @@
279	276	return $xml;
280	277	}
281	278
	279	+ function pageTextCallback( $matches ) {
	280	+ return '<PAGE value="' . htmlspecialchars( $matches[1] ) . '" />';
	281	+ }
	282	+
282	283	/**
283	284	* Hack to temporarily work around djvutoxml bug
284	285	*/

Follow-up revisions

Revision	Commit summary	Author	Date
r78047	MFT r69139, r78046: replace djvutxt output parsing regex with a slightly less...	tstarling	06:01, 8 December 2010
r78096	1.17: Merge recent fixes tagged on CodeReview, except for problematic revisio...	catrope	21:17, 8 December 2010

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r69139	fix text layer extraction (bug 21526); patch by Simon Lipp	thomasv	11:05, 7 July 2010

Comments

#Comment by Platonides (talk | contribs) 21:04, 20 December 2010

Any special reason?

Note that create_function() is also used in maintenance/fuzz-tester.php and maintenance/upgrade1_5.php

#Comment by Brion VIBBER (talk | contribs) 21:23, 20 December 2010

In general, things like eval(), create_function(), and the /e option on preg_replace() should be avoided:

it's easier to end up shoving an arbitrary string in, causing a code injection vulnerability
it's harder to read and maintain code that's mixed into strings
static analysis tools won't catch warnings and errors in the code
APC can't cache it
create_function() sometimes has garbage-collection issues

Sometimes you really do need them (obviously eval.php needs to run eval() ;) but in most cases like this, we'd rather see the function broken out and referred as a callback.

For future code that runs only under PHP 5.3 and later, note that inline lambda functions will make it easier to make your callback inline while retaining the benefits of code that's written in native syntax instead of strings.

#Comment by Tim Starling (talk | contribs) 02:35, 21 December 2010

I explained it for the patch submitter at https://bugzilla.wikimedia.org/show_bug.cgi?id=21526#c14

#Comment by Platonides (talk | contribs) 22:34, 21 December 2010

Great explanation from both of you!

Status & tagging log

21:19, 8 December 2010 Catrope (talk | contribs) changed the tags for r78046 [removed: 1.17]
15:32, 8 December 2010 Catrope (talk | contribs) changed the status of r78046 [removed: new added: ok]
05:59, 8 December 2010 Tim Starling (talk | contribs) changed the tags for r78046 [added: 1.17]