ZF-3334: Zend_Rest_Server faults with empty page on strange keys in _structValue()

Issue Type: Bug Created: 2008-05-28T00:51:20.000+0000 Last Updated: 2008-11-08T00:44:13.000+0000 Status: Resolved Fix version(s): Reporter: Christian Kissner (chrispsm&w) Assignee: Davey Shafik (davey) Tags: - Zend_Rest_Server

Related issues: - ZF-3338



Trying to return associative structs / arrays with XML-invalid keys (e.g. Zend_Db_Profiler_Query) breaks _structValue.

<pre class="highlight">
    protected function _structValue($struct, DOMDocument $dom, DOMElement $parent)
        $struct = (array) $struct;

        foreach ($struct as $key => $value) {
          // at this point $struct can have strange keys (.e.g "*_query")
          //  $key=preg_replace('/[^a-zA-Z0-9_-]/','_',$key); // this could sanitize $key
            if ($value === false) {
                $value = 0;
            } elseif ($value === true) {
                $value = 1;

            if (ctype_digit((string) $key)) {
                $key = 'key_' . $key;

            if (is_array($value) || is_object($value)) {
                $element = $dom->createElement($key); // this is generates an exception because $key is invalid XML

Finally, the fault exception handler registered in the constructor fails to output anything because fault() is designed to return the DomDocument Instead. Suggest to register a separate handler.


Posted by Christian Kissner (chrispsm&w) on 2008-05-28T04:24:25.000+0000

Actually, the issue appears with private and protected object properties:

[… ] If an object is converted to an array, the result is an array whose elements are the object's properties. The keys are the member variable names, with a few notable exceptions: private variables have the class name prepended to the variable name; protected variables have a '*' prepended to the variable name. These prepended values have null bytes on either side. This can result in some unexpected behaviour:

I don't think private/protected properties should be returned. Suggested fix:

<pre class="highlight">
    protected function _structValue($struct, DOMDocument $dom, DOMElement $parent)
        if (is_object($struct)) $struct=get_object_vars($struct);
        $struct = (array) $struct;

Posted by Wil Sinclair (wil) on 2008-06-07T21:46:42.000+0000

Please evaluate and fix/categorize as necessary.

Posted by Benjamin Eberlei (beberlei) on 2008-11-08T00:44:13.000+0000

See ZF-3338 - This issue has been fixed already in one of the many duplicate entries of this bug.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.