Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112355
Return-Path: <smalyshev@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14683 invoked from network); 1 Dec 2020 20:30:04 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Dec 2020 20:30:04 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 050771804C3
	for <internals@lists.php.net>; Tue,  1 Dec 2020 11:57:35 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <smalyshev@gmail.com>
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  1 Dec 2020 11:57:34 -0800 (PST)
Received: by mail-pl1-f175.google.com with SMTP id b23so1748003pls.11
        for <internals@lists.php.net>; Tue, 01 Dec 2020 11:57:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=Fb7RGp5RdeNuUiD3zX7CPd6jQJ6/pdHTr0DTfegzeGk=;
        b=S3GAhmKIRErHk8qP+T8iMEGUlcJT6zXgPrREXOOVI9IgptE92dfQSarKCh19EfcnEk
         reLzzp/tpVUXXE8ggO0wzA6mdPbJcEVOeihMfuAkkyv3/wrC4VX8ifwH0Tnzy/cZzAIg
         GnRvz3r8m3UHszcYTuzSpUPMqhAhDOxNmBN+1W3cMrmnhgML9aYKoRyJ8JF890srkPnv
         JTwb4j0FMM4zi+Yf2U8EQqD2voE9COoHyqEYj4P/e0zDtr47XVqojy2JXUvGApWgyJLw
         QO4ZbQmA4zw/qNma+q0yhhK2FwFj7/2QGo6OBqxfmIeBUJ2ypCLlww33JrLNmcmMmETs
         Hn5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=Fb7RGp5RdeNuUiD3zX7CPd6jQJ6/pdHTr0DTfegzeGk=;
        b=mjkikEiLUsD5uuVg56VBrc2e032YyITQWf66pnoVIQVs5rl/M8EUbMlpgmJyOEXxWD
         /qRtq2MU5LDMkE6aOBQmeLg1SyFtxlqOknNnltjySAhtYv9LQz4Oxqm+DMRABNwvzuQg
         1IsCcAMsXG2+9sUv/lewzGrirDhaEY7VOql89DHtfoHEJGv+AMFfnizFlCorYOg0XKHa
         uEvuhNT54xpzU/IdMewrDxZaB8sfzPqLU9ZQZRhoRTcdhxpOjumazh4hTprz2Z63YLpi
         TzaANlvQL+Li859mwLPt4zR4tKfFbwHWZmDiXHaRIPlRvVgKNxAbJ9EuWjewjyNbZ8wR
         bfxw==
X-Gm-Message-State: AOAM533vxkJOfpvDbJKjZiISvAlK0FmTDOSnthkDCggiSkKXRAdRWa7t
	QC6522sqNlamVNsy68JcYpRtIErlv/1m
X-Google-Smtp-Source: ABdhPJyU+ZmuQoRHDPoX4NoBJEep4GwMCehySeduAnCHU0cnXXHElTxyLGTEQmpVKoiXmeB5D0gNpg==
X-Received: by 2002:a17:90a:1696:: with SMTP id o22mr4382854pja.44.1606852652803;
        Tue, 01 Dec 2020 11:57:32 -0800 (PST)
Received: from Stas-Mac-3.local (ec2-44-226-106-152.us-west-2.compute.amazonaws.com. [44.226.106.152])
        by smtp.gmail.com with ESMTPSA id y23sm548718pfb.207.2020.12.01.11.57.32
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 01 Dec 2020 11:57:32 -0800 (PST)
To: internals@lists.php.net
References: <b845d5bf-63da-d564-1f0f-cc934188d693@aimeos.com>
 <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de>
 <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com>
 <fad4cc49-0f40-53f1-400c-90ff01ffdccb@gmx.de>
 <CAN2symiHHJVGvaLYMD=Qes0Wy06dZRtzPeonNBUWOBRbiTdo5g@mail.gmail.com>
 <CAFPFaMLEdq0+hYkE49YVbcFvCt00rne6roApcoyY4aK=1ZHpuA@mail.gmail.com>
Message-ID: <8a33dde2-f06c-640d-42bb-3e7af90fd5af@gmail.com>
Date: Tue, 1 Dec 2020 11:57:31 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0)
 Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CAFPFaMLEdq0+hYkE49YVbcFvCt00rne6roApcoyY4aK=1ZHpuA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> So why having is_file()/is_dir() throw a warning for the past 8 years
> (since PHP 5.4) a non-issue? Because by that logic it shouldn't

Warning is a debugging functionality. Throwing is breaking the app and 
stopping the whole process. There's a fundamental difference between the 
two.

> Would it have been fine if this would have been a TypeError as it was
> originally intended?

It's not a type error. PHP does not support such types. "string that is 
a valid filename" is not a type in PHP, thus TypeError would be misleading.

> Is a warning fine because null bytes indicate a potential attack as in no
> sane
> context should null bytes be passed around?

A warning is fine because it does what it's supposed to do - fails the 
is_file check (which is literally only there to check if this string 
specifies a valid filename) while not breaking the app. Exception breaks 
the app.

So what we'll be seeing very soon is people creating userspace safe_is_* 
wrappers that would work around this "functionality", working against 
the language instead of being helped by it. This is not how it should be.
-- 
Stas Malyshev
smalyshev@gmail.com