Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112346 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 95857 invoked from network); 1 Dec 2020 19:08:08 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 1 Dec 2020 19:08:08 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3EF741804C4 for ; Tue, 1 Dec 2020 10:35:37 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 1 Dec 2020 10:35:36 -0800 (PST) Received: by mail-ot1-f44.google.com with SMTP id f12so2618145oto.10 for ; Tue, 01 Dec 2020 10:35:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NJCWOhgZ/4C6G7gQGlDcxo4KoWSbslymxfne9yt723M=; b=pcfE+PjYjhTH/BYo8gDEn3jMsp+0tHdbLmxo987yirGsrHcZM6r5McPSqaORXGvNN3 OyoJeGP8BTvclrDIRQ7jRhDYIE5apZLiM1s9nNuImEOOnA3+sSZVXd3JGzH8+d1JMfsN oFKLYcbEC6OlLXu2oK0BDr/RTSBnRX7iNIj06rj+NnHdXoPGnk/N+rp5g1ecOMj0Wthi JPzsUZP77Anx6aSoaxlxJf6PXd1XNrO/W0DlJlA8f1qBKho1cZAleGJpIpNqd8o5dSp1 TlIXvK2Sa2Sh0dEYT6isfk7ah/TER0SLTkD73BVpNNZpBP0pPsebPj4dKfN6fBePVu0u +dCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NJCWOhgZ/4C6G7gQGlDcxo4KoWSbslymxfne9yt723M=; b=qLNa42j98LXFMYRxaDK2q72/bOoHrBuRWGc9ZQaRPiRcPkm6G6L2fUxOqNbMGgSazD DCwKdR3wt3G9f4xz0BiMg7ijwizmzm967/cUUHnfppjVgimv8IeD34bwEbW4kysazMIv mCHIyd2FFOsO2dULM+mWxo4jPkJWNTLK/27yoUV0pM7SfFCFOwuNcZ5ZFaWGC45zv+gm JctN4TcaKIN+flBaMjIi8y9/L/HybATk9ueYO/XvkjfGuC5jvnWLVBJXlOpzf1Rsaeva EehcaBbVUCQuZHLK9eCmZcZUE6MrAyBS7K9bMBSI5VApVeQ7+sj1KLhCG+uurvZEMiaq o2Ag== X-Gm-Message-State: AOAM53247Ixl5zBBT3cfgmw2DNcKIG+FWmHI+p1ZZ2Zhd21Fsc6ePbxw ojsoYBYEEvIPu7oQQ9AsCimTmJGDf33SMLTaZw== X-Google-Smtp-Source: ABdhPJz/ymhgCtKldqZTEBbaj48JfrfV5ISq4HgfP3clalnfEM00/hppDcVtrWdU1sD7LmB8YK5lDVzGE8/jmGSgSPQ= X-Received: by 2002:a9d:7517:: with SMTP id r23mr2761689otk.146.1606847735317; Tue, 01 Dec 2020 10:35:35 -0800 (PST) MIME-Version: 1.0 References: <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com> In-Reply-To: Date: Tue, 1 Dec 2020 10:35:22 -0800 Message-ID: To: "G. P. B." Cc: "Christoph M. Becker" , "Aimeos | Norbert Sendetzky" , PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling From: paul.crovella@gmail.com (Paul Crovella) On Tue, Dec 1, 2020 at 10:23 AM G. P. B. wrote: > > On Tue, 1 Dec 2020 at 18:07, Paul Crovella wrote: >> >> On Tue, Dec 1, 2020 at 9:43 AM Christoph M. Becker wrote: >> > >> > On 01.12.2020 at 18:35, Aimeos | Norbert Sendetzky wrote: >> > >> > > Am 01.12.20 um 18:24 schrieb Christoph M. Becker: >> > >> >> > >>> In PHP 7, this returns FALSE: >> > >>> >> > >>> php -r 'var_dump(is_file("ab\0c"));' >> > >>> >> > >>> In PHP 8, the same code throws a ValueException. Problem is now that >> > >>> it's not possible to check upfront if the passed argument is a valid >> > >>> path to avoid the exception being thrown. >> > >> >> > >> This is only about the NUL byte in the filename. You can easily check >> > >> for that yourself. :) >> > > >> > > There may be other checks that will throw a ValueException. I'm not sure >> > > how it's implemented in detail because the filestat.c file doesn't >> > > thrown an exception at all: >> > >> > The exception is thrown from inside the parameter parsing routines >> > (zend_parse_parameters() and friends). Internal function differenciate >> > between string and path, whereas the latter is an arbitrary string which >> > does not contain NUL bytes. >> > >> > It would likely make sense to document that. OTOH, it's probably a good >> > idea to check (almost) all user input for NUL bytes. >> >> Would it not make more sense for something like is_file to have >> obvious sane behavior and simply return false itself? I don't >> understand the resistance to making it more difficult for a developer >> to screw something up. >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: https://www.php.net/unsub.php > > > So why having is_file()/is_dir() throw a warning for the past 8 years > (since PHP 5.4) a non-issue? Because by that logic it shouldn't > have been emitting warnings either. That's correct, it shouldn't have. > Would it have been fine if this would have been a TypeError as it was > originally intended? No, I imagine it would've been fixed sooner. > Is a warning fine because null bytes indicate a potential attack as in no sane > context should null bytes be passed around? Null bytes come from many places and do not necessarily indicate an "attack." There's plenty of UTF-16 in the world, for example, that's got oodles of them. > I don't personally *care* that it throws a ValueError, but why is this issue only > brought up *now* when it should have been shouting for 8 years Because it didn't break userland code for 8 years. A ValueError is a much louder thing - that's the whole point of it in fact. It shouldn't be a surprise that it comes up now.