Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112343
Return-Path: <paul.crovella@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89074 invoked from network); 1 Dec 2020 18:40:19 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Dec 2020 18:40:19 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 3322D180511
	for <internals@lists.php.net>; Tue,  1 Dec 2020 10:07:47 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <paul.crovella@gmail.com>
Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  1 Dec 2020 10:07:46 -0800 (PST)
Received: by mail-ot1-f51.google.com with SMTP id f12so2530355oto.10
        for <internals@lists.php.net>; Tue, 01 Dec 2020 10:07:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=uifiMIpq3TVc2QIdy2bQDryesnEfUmbPgKzCsQ/9p2Q=;
        b=W3LZZZGxKFbte0oklm6sWguSHWxL4ZU6ncTdhMxxtXShIAf2V3waKE9dioCZbP181g
         tJ46vCK93PTPgH0fq6H0z0gq+IYgNgEubJ/lcknY4yB6yYJABD1ZZgC3igQh5GICkWve
         Zc41188dl35m29pE07XTDhL47BkyganckAxrlk/TtI5VW8He+na5yEqshz5o0/bK1gXj
         31S/SNsIQ60rlAdjVf7KnVH3rXtRiPBeEIL3+RCbvUKbCrfvmV6RemjLYAAc7Ox0cbOi
         OyG7DPnLwVLVrtMaXIe8I3SgPn7JUGLqXeONktaVpnD7Xkk8bdRTjL6GePtipnT/wEs3
         GjvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=uifiMIpq3TVc2QIdy2bQDryesnEfUmbPgKzCsQ/9p2Q=;
        b=o1jOEjRSvmX7OyI6efXt6r9u/l+nbBlMUAHk9COK1zjWvCVTNTAzTAZRwpYtp4cT5t
         LD4KOQoQPIfwNUrbanN6ZzLxDTOx/LsBF/BAg43HJi7VIpxItXOIq8qbj61X8tQNeNHY
         et/cPltmjNn9MzVRXuU+IKkuJOXHbz8gRSqiC9EjRNFy/HUjczze0rxFz3VvTvsjB1s4
         4ESeSzrrDDuIuWlDhYrm1O0ml3EiKLuTsANr05de3jquNtzIcH1clBnGoparnpVS2OCV
         02IUcehQAp3WZcqX7zMRJRpQGcDXxg3QUIHDdZPF31Oqtpt/R/0wQ3Zg7U6+mkLJt0Y7
         4SoQ==
X-Gm-Message-State: AOAM533K9epmgjJBLgTBPSJM9EyzllyJhzALSS8oacQBdxvjzjDCCXok
	4xD0/bWW2CGmnmeun9M0OVTPe7YRkyl2ijoAeA==
X-Google-Smtp-Source: ABdhPJyQ1tBL4tT30ihMWdh5uFRyVSLvRNPzR8rZbFLdvphGpo9u7DbRuWCVdkUwnWABd4jTwhFnzGuyxtsvwT2tAIs=
X-Received: by 2002:a05:6830:22eb:: with SMTP id t11mr2810927otc.114.1606846063653;
 Tue, 01 Dec 2020 10:07:43 -0800 (PST)
MIME-Version: 1.0
References: <b845d5bf-63da-d564-1f0f-cc934188d693@aimeos.com>
 <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de> <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com>
 <fad4cc49-0f40-53f1-400c-90ff01ffdccb@gmx.de>
In-Reply-To: <fad4cc49-0f40-53f1-400c-90ff01ffdccb@gmx.de>
Date: Tue, 1 Dec 2020 10:07:31 -0800
Message-ID: <CAN2symiHHJVGvaLYMD=Qes0Wy06dZRtzPeonNBUWOBRbiTdo5g@mail.gmail.com>
To: "Christoph M. Becker" <cmbecker69@gmx.de>
Cc: "Aimeos | Norbert Sendetzky" <norbert@aimeos.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling
From: paul.crovella@gmail.com (Paul Crovella)

On Tue, Dec 1, 2020 at 9:43 AM Christoph M. Becker <cmbecker69@gmx.de> wrote:
>
> On 01.12.2020 at 18:35, Aimeos | Norbert Sendetzky wrote:
>
> > Am 01.12.20 um 18:24 schrieb Christoph M. Becker:
> >>
> >>> In PHP 7, this returns FALSE:
> >>>
> >>> php -r 'var_dump(is_file("ab\0c"));'
> >>>
> >>> In PHP 8, the same code throws a ValueException. Problem is now that
> >>> it's not possible to check upfront if the passed argument is a valid
> >>> path to avoid the exception being thrown.
> >>
> >> This is only about the NUL byte in the filename.  You can easily check
> >> for that yourself. :)
> >
> > There may be other checks that will throw a ValueException. I'm not sure
> > how it's implemented in detail because the filestat.c file doesn't
> > thrown an exception at all:
>
> The exception is thrown from inside the parameter parsing routines
> (zend_parse_parameters() and friends).  Internal function differenciate
> between string and path, whereas the latter is an arbitrary string which
> does not contain NUL bytes.
>
> It would likely make sense to document that.  OTOH, it's probably a good
> idea to check (almost) all user input for NUL bytes.

Would it not make more sense for something like is_file to have
obvious sane behavior and simply return false itself? I don't
understand the resistance to making it more difficult for a developer
to screw something up.