Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112348
Return-Path: <george.banyard@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98660 invoked from network); 1 Dec 2020 19:11:40 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Dec 2020 19:11:40 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 23CAB1804C0
	for <internals@lists.php.net>; Tue,  1 Dec 2020 10:39:10 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <george.banyard@gmail.com>
Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  1 Dec 2020 10:39:09 -0800 (PST)
Received: by mail-ed1-f47.google.com with SMTP id k4so4834161edl.0
        for <internals@lists.php.net>; Tue, 01 Dec 2020 10:39:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=hGIF4uGBVjdIRoGBmcEvdPjJiw7HxxMx3txhflTJ0XQ=;
        b=UGIbWqeSh1un6GSbbUpp+Kbe2D9j3ixZl3tMcQNvMNRZQCpaQEoQvA/+j55w5yaG8n
         w29WzRJpLJW6XCbk+uvYUWtDfRZhihEo6X3ivas5scmKOUPVeCMAEhzrfpxLFRoJFmAI
         cuMgj3bxXYFcBOohiEiv5jNpmzd/q9FcF3FATzvtHDbTULtEMEDoJJN5Y7qtgZ+ff+RT
         dZuP48zEA3wxz8nX/RhxiP2ceT9mFDq1KA1v40F8ljslMVK/tXxgFjw73ovQ41oEq+q1
         aOeYFG+vj53S5LRga1cPMFEgdm1qEw/GsnpSNNAb/rWd4WzOPjSunXtTDRSpRG6M6YS2
         idqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=hGIF4uGBVjdIRoGBmcEvdPjJiw7HxxMx3txhflTJ0XQ=;
        b=N33O51c7D2TcShvJyKM3n+suqr+rHjTvYzG7V+zHwF7imX1PgKjk2/ouJY+l/w0Z7q
         uKa+mHo50XF63cDJtsIrz0dk8pJYW5cVAOWqIxs7m3HBk1P5a1ar6pWEiV7TYS1xYpGq
         rNmS2zPC70ZvUNQaMn/9GBjOIvPMTbamPjM2fTKG9HBCcg/10kiH1GaSvjcVDjDglMi7
         pssuXMYQTi4rl+UBEsQm5j/1ga/PIhoEB4KaNSrqsFN1m7RVYZbPLuBnqyDHAv9Y7H7N
         IBfe4tiiu3E+r11YPBDo6keAbhTcVWzyb4LbiZ7LP68lCiP8vQfYR9yb9JpWRgaTj2mc
         0trQ==
X-Gm-Message-State: AOAM5310q0m0zlRIth/AKDYttzhLDbh74NNxciRQqkpUgtO6Ya74PW+w
	QmxdfHkSr4/w2+A7Cs6Vv/BpmQf1eXhNczwkgfoLKH0HDnNSRdqv6IQ=
X-Google-Smtp-Source: ABdhPJwh2et+UMPlIdkNMri+MnOcVXuf03+/Ohq8ER27/mcXPvxsAcnSi3PPMQXq2BX4CPWMAZUBctcVsKZWoBM6vuQ=
X-Received: by 2002:aa7:c403:: with SMTP id j3mr4377684edq.217.1606847948457;
 Tue, 01 Dec 2020 10:39:08 -0800 (PST)
MIME-Version: 1.0
References: <b845d5bf-63da-d564-1f0f-cc934188d693@aimeos.com>
 <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de> <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com>
 <fad4cc49-0f40-53f1-400c-90ff01ffdccb@gmx.de> <CAN2symiHHJVGvaLYMD=Qes0Wy06dZRtzPeonNBUWOBRbiTdo5g@mail.gmail.com>
 <CAFPFaMLEdq0+hYkE49YVbcFvCt00rne6roApcoyY4aK=1ZHpuA@mail.gmail.com> <CAN2symii22mQknY=Y=zxJDF+EdZ0XcBBc8FsFTyEYR=PTY6k_g@mail.gmail.com>
In-Reply-To: <CAN2symii22mQknY=Y=zxJDF+EdZ0XcBBc8FsFTyEYR=PTY6k_g@mail.gmail.com>
Date: Tue, 1 Dec 2020 18:38:54 +0000
Message-ID: <CAFPFaMJFndsXqw2h8PE0DpAKU0S5yNE-6jG-wAkXRBYdDBrJ-A@mail.gmail.com>
To: Paul Crovella <paul.crovella@gmail.com>
Cc: "Christoph M. Becker" <cmbecker69@gmx.de>, "Aimeos | Norbert Sendetzky" <norbert@aimeos.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000002d0cad05b56b712d"
Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling
From: george.banyard@gmail.com ("G. P. B.")

--0000000000002d0cad05b56b712d
Content-Type: text/plain; charset="UTF-8"

On Tue, 1 Dec 2020 at 18:35, Paul Crovella <paul.crovella@gmail.com> wrote:

> On Tue, Dec 1, 2020 at 10:23 AM G. P. B. <george.banyard@gmail.com> wrote:
> >
> > On Tue, 1 Dec 2020 at 18:07, Paul Crovella <paul.crovella@gmail.com>
> wrote:
> >>
> >> On Tue, Dec 1, 2020 at 9:43 AM Christoph M. Becker <cmbecker69@gmx.de>
> wrote:
> >> >
> >> > On 01.12.2020 at 18:35, Aimeos | Norbert Sendetzky wrote:
> >> >
> >> > > Am 01.12.20 um 18:24 schrieb Christoph M. Becker:
> >> > >>
> >> > >>> In PHP 7, this returns FALSE:
> >> > >>>
> >> > >>> php -r 'var_dump(is_file("ab\0c"));'
> >> > >>>
> >> > >>> In PHP 8, the same code throws a ValueException. Problem is now
> that
> >> > >>> it's not possible to check upfront if the passed argument is a
> valid
> >> > >>> path to avoid the exception being thrown.
> >> > >>
> >> > >> This is only about the NUL byte in the filename.  You can easily
> check
> >> > >> for that yourself. :)
> >> > >
> >> > > There may be other checks that will throw a ValueException. I'm not
> sure
> >> > > how it's implemented in detail because the filestat.c file doesn't
> >> > > thrown an exception at all:
> >> >
> >> > The exception is thrown from inside the parameter parsing routines
> >> > (zend_parse_parameters() and friends).  Internal function
> differenciate
> >> > between string and path, whereas the latter is an arbitrary string
> which
> >> > does not contain NUL bytes.
> >> >
> >> > It would likely make sense to document that.  OTOH, it's probably a
> good
> >> > idea to check (almost) all user input for NUL bytes.
> >>
> >> Would it not make more sense for something like is_file to have
> >> obvious sane behavior and simply return false itself? I don't
> >> understand the resistance to making it more difficult for a developer
> >> to screw something up.
> >>
> >> --
> >> PHP Internals - PHP Runtime Development Mailing List
> >> To unsubscribe, visit: https://www.php.net/unsub.php
> >
> >
> > So why having is_file()/is_dir() throw a warning for the past 8 years
> > (since PHP 5.4) a non-issue? Because by that logic it shouldn't
> > have been emitting warnings either.
>
> That's correct, it shouldn't have.
>
> > Would it have been fine if this would have been a TypeError as it was
> > originally intended?
>
> No, I imagine it would've been fixed sooner.
>

Incorrect, because using strict_types would make this exact case throw a
TypeError in PHP 7. See: https://3v4l.org/0P2O4


> > Is a warning fine because null bytes indicate a potential attack as in
> no sane
> > context should null bytes be passed around?
>
> Null bytes come from many places and do not necessarily indicate an
> "attack." There's plenty of UTF-16 in the world, for example, that's
> got oodles of them.
>
> > I don't personally *care* that it throws a ValueError, but why is this
> issue only
> > brought up *now* when it should have been shouting for 8 years
>
> Because it didn't break userland code for 8 years. A ValueError is a
> much louder thing - that's the whole point of it in fact. It shouldn't
> be a surprise that it comes up now.
>

Because returning null instead of false is not a surprise?


George P. Banyard

--0000000000002d0cad05b56b712d--