Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112354 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 13038 invoked from network); 1 Dec 2020 20:26:50 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 1 Dec 2020 20:26:50 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 69CB31804C6 for ; Tue, 1 Dec 2020 11:54:20 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 1 Dec 2020 11:54:19 -0800 (PST) Received: by mail-lf1-f44.google.com with SMTP id r24so6817593lfm.8 for ; Tue, 01 Dec 2020 11:54:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OQcZ8mrfM+poePjodQhe2+Fv41RtMkqJfWDvtLbOubg=; b=ZEYTabWtSG9PLj3AZb3cY0x3C9OEAyFFSp/CNzqMmPYxMBrj/T8LUrTpqszm0Al5bL mKRgEM4OsSHy+lwW5p9rFlktnbvGKuewlE9ifeY2Pn5TwHbuQadx35rILTUJrVUg9KIP yjeW1tw8SyX2Qa6cowensuUksN48nzXk51jQ3Uy4Sj44Z3bzGgT/FqgkA6eVFN1clepT ddfIAAW/8tHNvrgl9Hm7edfMpd9OPy0eejbtgqCtJnl+oFv3Uz63WEHG4366fbxUW0pQ KcuQGhB/JQrVlrdUk+TIULvHzo0iSN4q/2mlgIo8wQBM/KoVRXrYLKbCkvbxbpOesPFr 62TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OQcZ8mrfM+poePjodQhe2+Fv41RtMkqJfWDvtLbOubg=; b=QuoMbCLdBSP3tlK6qnI3xJ3sk8g4WA4b06v1cofH7K7sG1t5qc9lCS6AKtOv+WVF5o xDOMMiKBIOHEkG43J9PoNi6F1r4FHFf1fi1aoBXmk7lbZAu7zPyDDUvbROprHlQpAN3p 8oEDklgmBUZ6sNWkIQNt2B9rf76qnM0Q28qhWLPfOe83gv2+YCZ3rXejMP2ejcot7qpm 0mQtAUZjv6+fd0nLPiV8+JgTwrJ1BLQXOKfXUkdoVVokurwHNuy/Bxkk5ybV09zmi/Li A19oIjKfH80HgtItG/qH0gj7miJqmzR9lN1szcFl5lKj6KWdJ9xKAcNdQPRGOcShOWAK Azbg== X-Gm-Message-State: AOAM532f/HhvvQdAJbRBP6du1f4L64bBFlPXEXnLcb1kDLI3wYe+2pSI GuesvaiQs+hUD6uc5bWWmvR07fpubDTPFZxfUocpwiaguxo= X-Google-Smtp-Source: ABdhPJxCpe2u7LGmHaKTJzoVnnX6m0teLgHocdkdwj7od2vx8oKrG7ckkX7DYVChMvleI/kTrGqQGa3jzWqtjZtJn8c= X-Received: by 2002:a19:6759:: with SMTP id e25mr2043679lfj.25.1606852455330; Tue, 01 Dec 2020 11:54:15 -0800 (PST) MIME-Version: 1.0 References: <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com> <29529061-dc71-c759-590a-b4786936f8c5@aimeos.com> <96e40442-a649-f9af-a0cc-dd43cfd1bd0c@gmx.de> In-Reply-To: <96e40442-a649-f9af-a0cc-dd43cfd1bd0c@gmx.de> Date: Tue, 1 Dec 2020 20:53:59 +0100 Message-ID: To: "Christoph M. Becker" Cc: "Aimeos | Norbert Sendetzky" , PHP Internals Content-Type: multipart/alternative; boundary="000000000000ce791905b56c7d89" Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling From: nikita.ppv@gmail.com (Nikita Popov) --000000000000ce791905b56c7d89 Content-Type: text/plain; charset="UTF-8" On Tue, Dec 1, 2020 at 7:58 PM Christoph M. Becker wrote: > On 01.12.2020 at 19:38, Aimeos | Norbert Sendetzky wrote: > > > Am 01.12.20 um 19:23 schrieb G. P. B.: > > > >> So why having is_file()/is_dir() throw a warning for the past 8 years > >> (since PHP 5.4) a non-issue? Because by that logic it shouldn't > >> have been emitting warnings either. > >> Would it have been fine if this would have been a TypeError as it was > >> originally intended? > >> Is a warning fine because null bytes indicate a potential attack as in > no > >> sane > >> context should null bytes be passed around? > >> > >> I don't personally *care* that it throws a ValueError, but why is this > >> issue only > >> brought up *now* when it should have been shouting for 8 years and is > >> either an > >> indication of a bug or of something larger at play. > > > > Keep cool, the code we are currently using is similar to this one: > > > > if( @is_file( $data ) === false ) { > > throw new \Aimeos\MW\Exception( 'Invalid file' ); > > } > > > > We use the silence operator to suppress the warning so we can throw our > > own exception in a clean way. Now, with support for PHP 8 it would be: > > However, if $data contains a NUL byte, no exception would be thrown, > since is_file() returned NULL in that case. > > Regards, > Christoph > So, there's two dimensions to this: First, assuming that a null byte in a file name *is* an error condition, is the PHP 8 behavior better than in PHP 7? I think the answer to this one is very clearly "yes". The above code snippet and the subtle way in which it is broken is a great illustration of that. PHP 8 makes it obvious that the cited code is incorrect. Second, should a null byte in a file name be an error condition in the first place? This is a point I'm not sure about. It would certainly be possible to treat paths containing null bytes as non-existing paths, and abstract away the fact that paths cannot contain null bytes, and that this is a common attack vector. I'd personally lean towards not considering null bytes an error condition. However, this is an entrenched notion, and undoing this long standing assumption will be quite a bit of work. Just changing a few functions like is_file() would be simpler though. Regards, Nikita --000000000000ce791905b56c7d89--