Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix null password config #436

Closed
wants to merge 1 commit into from
Closed

fix null password config #436

wants to merge 1 commit into from

Conversation

star1989
Copy link

@star1989 star1989 commented May 3, 2017

fix null password config

@tillkruss tillkruss added this to the v2.0.0 milestone Aug 10, 2020
@nrk
Copy link
Contributor

nrk commented Aug 22, 2020
edited

The problem with this change is that empty() just apparently fixes the issue (passing "password" => "" would still trigger AUTH)
and potentially introduces a new one where empty("0") === TRUE in silly PHP. Admittedly using 0 as a password would be kind of dumb, but it's just to prove that this PR wouldn't be enough for a proper fix and that's why I'm closing it.

Considering that an empty connection parameter (I mean where value is NULL or a 0-length string) is pretty much useless anyway in our case, I think we can safely filter all of them out in Predis\Connection\Parameters::filter() simpy using array_filter():

$parameters = array_filter($parameters ?: array()), function ($value) {
    return $value !== null && $value !== '';
});

This fix could also be pushed to a patch release of Predis v1.1 I guess, it doesn't change anything in terms of API after all and I don't see why anyone could have a reason or use case to rely on the current behaviour. I'll open a PR against the main branch for now and we'll discuss if backporting this to v1.1 is feasible.

@nrk nrk closed this Aug 22, 2020
nrk added a commit that referenced this pull request Aug 25, 2020
@nrk
Filter NULL and zero-length string values for parameters.
b014d5d 
Having NULL values or zero-length strings for connection parameters does
not make much sense and actually it proved to be an issue with certain
parameters like "password" where an empty string would trigger an AUTH
command with an empty password (and obviously Redis was not happy with
that). The main offenders were a few libraries and frameworks that kept
passing empty values for parameters such as "database" and "password"
even when users left them unconfigured. This fix should make things more
robust and avoid such occurrences in the future.

Related to PR #436 (rejected).
@nrk nrk mentioned this pull request Aug 25, 2020
Merged
nrk added a commit that referenced this pull request Aug 29, 2020
@nrk
Do not push AUTH and SELECT on empty "password" and "database".
31baa9b 
NULL or zero-length string values passed to "password" and "database" in
the connection parameters list do not trigger spurious AUTH and SELECT
commands anymore when connecting to Redis.

Fixes #436.
@nrk
Copy link
Contributor

nrk commented Aug 29, 2020

Fixed for v1.1 in 31baa9b.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
v2.x
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@star1989 @nrk @tillkruss