Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112336 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 78272 invoked from network); 1 Dec 2020 18:16:02 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 1 Dec 2020 18:16:02 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 43EBC1804C3 for ; Tue, 1 Dec 2020 09:43:28 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 1 Dec 2020 09:43:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1606844604; bh=pUa2mm6n0hbJt989HcS3T3oOAplxCGycSUGOj3QW5J0=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=MXLYMe6VeFjxkBYvKZemScRCPNhszM1Gy2IILXgxP5xniI22POWsGe2tAHSGL+Tx/ dIf0mTWD/foNIF7eRCJzwVzOxtBhilhuYgL4JWnzvZZZ6s6zfqC+gV9s7p0daNDtVU DKNcgX6ZrZOzopwvHc62u3Yjj5ya10RIaRa9pPPY= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.2.130] ([84.179.229.113]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MCKFu-1ksRPK2GnK-009PQw; Tue, 01 Dec 2020 18:43:24 +0100 To: Aimeos | Norbert Sendetzky , PHP internals References: <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com> Message-ID: Date: Tue, 1 Dec 2020 18:43:24 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:o3kzNX/fAEM7d0BavLlJt9bWoD0YEZl/2w85katKaBi/61dbtHO vlRlkSeOrBz4BduNM6S7EdE5QRkIYxI01aaxpFtzMEdkXIHAsPXny0l4C0jWau7UfyGlbwH j0FnqnLuD3YniIvMiTTzTcf/knKYUHQeYECLcBMB22ev/kZyx+Dyc2ag0EdnDXHACYoPT4x akt+CBPXw8rKAUGz8AJaA== X-UI-Out-Filterresults: notjunk:1;V03:K0:vorh5F7IdTk=:MCVniPpitQLiDFhchy/CIM akRAks2A93rgh9nNAWIwEfjDgLN1KBsDKAQwHQRYbsD7HSc3eUCDS5uD5mgyOeyvhPnTwHAkL tdEdO4IjZDDjK5ylMeDXs3+q6tv5WuQSG9ihhVHsmAPGs3+BteoMHKkEqPZ1jiHY4ANyCtaVn E8OzEjOq7nwJKu12TlwjyYhKnmKyxzetocC4A/v+gsUDqAOCM3/orHeKy9UXqHsD+rJhHubhH CapVcTBgDHzG1lFtVCPM46txzd/EDDtP+4I3hCo4vP+MHQEpT0TW2SIEc3W0BATzp4Nb9VX3d 5pDMqeXAcOJt+rB7H3q5TkaviojTsVkJ9rtZnqlj3B66CP8p4LulxwmmAS6RmbcLDMlE/sZEw oJvnMmkVEZwpu2JyF9K43gFjobAVn63uv024FQ2hQOW5rKGJYSPu6ijbEioWfPsH7hDVa/YX2 CNzGGeBEpaqpVkMNl/pf0S5c0Bv6EMSTbHYP8+6z5Nbw3dPexaz65TyrfZEypiE5pxs76vQSm b1DiBbqzXZDazYgZ+hdST3q4iQr4mGd9RTfvIXlxXfw9VpWTd1h34TEinr5lBvrAhX/xkumd1 LMAjgwSFtar0Ndp8M/HBNNKN6+YNn4STquXcnSz1PFxOOGmU5qNwNFKkSqHRV0IE+aaY9T1ct RPmnan+KquS+D/SYQ0ioCLNWWxoE8yj2TtwZ5135K0sy5ur0bj8E0ZvcAmhb5lYRTJfgC2M60 HJR1YfsYHsZdc+3OO1BiAJaEZQca+CIUE3KOcXRKMJiXaliURz64aWE3/2gHdU4USbQMfUWkQ 81KxmfbGAaoMmVNugo0vgIY/s2UB7IPaQhJ22WXEJ3X8Ce4IeW+7GA6I2rsyTX3EpE56tcAHI +fzmSbiue6pX9z5y5CRw== Subject: Re: PHP 8 is_file/is_dir input handling From: cmbecker69@gmx.de ("Christoph M. Becker") On 01.12.2020 at 18:35, Aimeos | Norbert Sendetzky wrote: > Am 01.12.20 um 18:24 schrieb Christoph M. Becker: >> >>> In PHP 7, this returns FALSE: >>> >>> php -r 'var_dump(is_file("ab\0c"));' >>> >>> In PHP 8, the same code throws a ValueException. Problem is now that >>> it's not possible to check upfront if the passed argument is a valid >>> path to avoid the exception being thrown. >> >> This is only about the NUL byte in the filename. You can easily check >> for that yourself. :) > > There may be other checks that will throw a ValueException. I'm not sure > how it's implemented in detail because the filestat.c file doesn't > thrown an exception at all: The exception is thrown from inside the parameter parsing routines (zend_parse_parameters() and friends). Internal function differenciate between string and path, whereas the latter is an arbitrary string which does not contain NUL bytes. It would likely make sense to document that. OTOH, it's probably a good idea to check (almost) all user input for NUL bytes. > https://github.com/php/php-src/blob/1e9db80d7264911fa4089cb7e4b3dc7f97b1= 9c6e/ext/standard/filestat.c > > Can you tell me how you would check for NULL bytes? See e.g. . Regards, Christoph