Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112350
Return-Path: <cmbecker69@gmx.de>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3656 invoked from network); 1 Dec 2020 19:30:39 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Dec 2020 19:30:39 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 69C40180511
	for <internals@lists.php.net>; Tue,  1 Dec 2020 10:58:06 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <cmbecker69@gmx.de>
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  1 Dec 2020 10:58:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1606849083;
	bh=sAVQUdcTo7/1iIfsYWtPImyfepCjqb/WyvaEaxAITGw=;
	h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To;
	b=ZCFCit4PTUPNrdv29FQw6K1V7lRs+I3jfMRZY2LxD8m7o3/GeuZ2Yd0O1M9FFa4aF
	 /YszPnppokVHATRFZXRopRkcZxM0GmL/D8+SITh9ZrMPW+SricCkJvfrjD8ZelR5sL
	 UjC506E79mjPHutUp0V0UQmW/oivh6bSz6bzG6EA=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.2.130] ([84.179.229.113]) by mail.gmx.com (mrgmx105
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MryTF-1kNEgY0grt-00nxUo; Tue, 01
 Dec 2020 19:58:03 +0100
To: Aimeos | Norbert Sendetzky <norbert@aimeos.com>,
 PHP Internals <internals@lists.php.net>
References: <b845d5bf-63da-d564-1f0f-cc934188d693@aimeos.com>
 <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de>
 <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com>
 <fad4cc49-0f40-53f1-400c-90ff01ffdccb@gmx.de>
 <CAN2symiHHJVGvaLYMD=Qes0Wy06dZRtzPeonNBUWOBRbiTdo5g@mail.gmail.com>
 <CAFPFaMLEdq0+hYkE49YVbcFvCt00rne6roApcoyY4aK=1ZHpuA@mail.gmail.com>
 <29529061-dc71-c759-590a-b4786936f8c5@aimeos.com>
Message-ID: <96e40442-a649-f9af-a0cc-dd43cfd1bd0c@gmx.de>
Date: Tue, 1 Dec 2020 19:58:03 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <29529061-dc71-c759-590a-b4786936f8c5@aimeos.com>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:G1RBDu6Pvn5PU/XviSKVdzOkqlwSj9u50uYg8S4jgxaGKcmJmST
 Vzo8629ZDcFu7hxPp7m4htaz9l5LX3wMcbYovH1+TD82ChrGVD7rEXdxKL5bINyNgeDRMyU
 9gbTuQqo7b85+gIwrhu9tyvmw61rdoDlGqISL4zklp4Pj5gLerBz0R7rZjO7yVhW3lDmmRN
 b5d1Sdeh+FfuWIOaUNYjQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:xvjmss630eU=:qRoWzzvpewMERM1TgyW+QS
 9VjlBhAabe7GAA+fjfvkaBJ6J8xTupZd9jEp7w5JSc48sm0EXdt2T9BjT88cw1FTAaNh7zpHD
 8U3/2QY79+COrKJZLW24Bm7jN43QZ5VJllGU4Ka3Z6KWvflTFniuJ/k2Ad5SQYiRv08uxIBNq
 c7rPb3kwYHcyFlVoTe/zwYT3O5yuD+LX9SbjJMjY/uFRE48YKllQBhjwm7EnmgtSRNhj0UUsh
 5K32SJZYjJOb+kzblaSf9qUWfynJ7J9HuRbwREPOYvf/fXTSa16AZ+GoJckrbaXmhKWSLLolS
 CUS+6Z8zkI+ayaFaqsRJhSxpLUs5aejreqB4T+QDg6nHNoWd2fWLXe921yU+zn7no79JVjPX+
 CRFAuKlj65S1epD9Sq5zgNhmsebT8kKBEZmnj+nJNswZnMvKqpQAYuu+6kSId8BS2NUaRHyV3
 iSuuQKL9nsfj5xTwJXiXgVLIU3QytxtHQnnJdwzoo2JCqvW9oN0fg6p/Pk/49j5dL4LE6s9Rh
 LMw0N8vXbA3TMXVJ3vGZdXfQ+ODpVFvVxZJfA+94kEKVBDonCdXzon7jrOFAozqPUWXm3Eqx/
 hxKPMVqaTJHZowb0EPWHfJxoWlWjIGmGe4p6nqqKDoGiWzdpfNhpc2GqsUEh+YFxhrZ1VwI6O
 KLNUfHGPoS8+xerRjAR1WYFyBRUmXKZ9GpEA0OXw8gUDQblD7YD1xxjXl5XfRWHhPg3wewUJI
 VCRYEsoWYKLVVBK5RwvxLU4amq/YZKLLYCRFnHf3IpeCBck7Ph8CuoFSM/mUs34FdSw3XnS36
 +WmYE+gLDJhNE8t+l8hgaiFFRYt2GTVn3f/9X3gaw8n8ygJ5H0BzwjnLu7gviBsH+OU8ftknD
 wCjoUx/ZV7GzPrXhJXZQ==
Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling
From: cmbecker69@gmx.de ("Christoph M. Becker")

On 01.12.2020 at 19:38, Aimeos | Norbert Sendetzky wrote:

> Am 01.12.20 um 19:23 schrieb G. P. B.:
>
>> So why having is_file()/is_dir() throw a warning for the past 8 years
>> (since PHP 5.4) a non-issue? Because by that logic it shouldn't
>> have been emitting warnings either.
>> Would it have been fine if this would have been a TypeError as it was
>> originally intended?
>> Is a warning fine because null bytes indicate a potential attack as in =
no
>> sane
>> context should null bytes be passed around?
>>
>> I don't personally *care* that it throws a ValueError, but why is this
>> issue only
>> brought up *now* when it should have been shouting for 8 years and is
>> either an
>> indication of a bug or of something larger at play.
>
> Keep cool, the code we are currently using is similar to this one:
>
> if( @is_file( $data ) =3D=3D=3D false ) {
>     throw new \Aimeos\MW\Exception( 'Invalid file' );
> }
>
> We use the silence operator to suppress the warning so we can throw our
> own exception in a clean way. Now, with support for PHP 8 it would be:

However, if $data contains a NUL byte, no exception would be thrown,
since is_file() returned NULL in that case.

Regards,
Christoph