Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112360 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 22558 invoked from network); 1 Dec 2020 20:54:09 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 1 Dec 2020 20:54:09 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 01A811804C3 for ; Tue, 1 Dec 2020 12:21:40 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 1 Dec 2020 12:21:39 -0800 (PST) Received: by mail-pg1-f172.google.com with SMTP id o5so1580325pgm.10 for ; Tue, 01 Dec 2020 12:21:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:references:from:subject:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=MWKfW3MPpLWy4zu6cuPsuF68XgQf1jKuVGJANOpb3PU=; b=cD0V7I7FgtBKNiS7JAIPlG5Vk/50+8Xb493YR+zQk2z+4kLZacAGZbW4d0rSRMgXMQ C1V3VMM4w3h1z152nNiYTlMMNuQV3ihf0v1w/PamVWCobwY9g7e1EeJndqXI0PgV2w3F w2OVbq41evuUuE28qMFSQ9PGiTpEjPpmfIl2yrO1OtFFLKDyXWUFK4+nWbSxleQz+lC3 zQkndrw0ni6vjW5p/FYNDZco9gXy7E6wVqN8J0OIT4oYvylwNX6HXS+YgDpDT46LwXxK Pqicic1xLQk+L55XXnFk9h9PctyK60FTCqh3rqwErkvcHqigQTBFg54TTwqn6xIUhLN0 Xnig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=MWKfW3MPpLWy4zu6cuPsuF68XgQf1jKuVGJANOpb3PU=; b=WkQVYkiBRl42gFmD+ZyayFj77GMVm2qxddW/y79WnDAo4xKunBPFdezujO91++IcKp T49DX6Uct+wkSrDY8ljEmHae5iy1GwjRVQ1LmG6rAS4EHevBJbX2dhIaiOgNk12TvkNV AD5PZoSNTj3SmBtbpb+OC9MWVzAPSNGmBVNrv+GcV6haUZc05aykw5kqmOKepOriimr6 j/5E07ntWQXzAxFjPn4yn4aiUBSzTbS+7PZzNfuXRYmyWJDqeYMw3RfWo82YPgdgs+6t pueoXamzfhdJu/9HNZs9aj+4Ct1oMZA8v/REpzx6R3ddOnQBS243mpWsFUvMneiVMBX8 ytGw== X-Gm-Message-State: AOAM531ynH38qYbuAk/fo0qGxVqmDih4nJgwYAXRFicJ/TVYgkZXHvbc 9ZWFQrCFqNVG6ZPG2363GkRTBCPpmk2j X-Google-Smtp-Source: ABdhPJyVtgNUa3qXs2hqniwMiM4QyuprGOb1En6BC7npofdzOX8p9/K8qs+v3oUO5R747eLk8AY6aA== X-Received: by 2002:a62:248:0:b029:18c:992f:e407 with SMTP id 69-20020a6202480000b029018c992fe407mr4089097pfc.37.1606854094551; Tue, 01 Dec 2020 12:21:34 -0800 (PST) Received: from Stas-Mac-3.local (ec2-44-226-106-152.us-west-2.compute.amazonaws.com. [44.226.106.152]) by smtp.gmail.com with ESMTPSA id q72sm591973pfq.62.2020.12.01.12.21.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 01 Dec 2020 12:21:34 -0800 (PST) To: "Reindl Harald (privat)" , PHP Internals References: <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com> <29529061-dc71-c759-590a-b4786936f8c5@aimeos.com> <96e40442-a649-f9af-a0cc-dd43cfd1bd0c@gmx.de> <2729ea34-b44d-da3d-f33e-4a31666112a2@rhsoft.net> Message-ID: <8defcd2f-b887-eddc-a2b5-9d830eb12756@gmail.com> Date: Tue, 1 Dec 2020 12:21:33 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <2729ea34-b44d-da3d-f33e-4a31666112a2@rhsoft.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > yeah, you should think about external input *before* do anything with > it, always! if you pass a random path with NULL you did not do anything > to validate the input Yes, and? is_file should be safe (as in, not exploding and breaking the whole app) on any input (leaving typing discussion aside, any string input). It should return true if the input is a name of an existing file, false otherwise. It's simple, not? > millions of security issues in whatever programming language are the > result of "i throw the input somewhere and don't mind" This is a general banality which is not applicable to this specific functions. Sure, there are security issues that come from input validation failure. It is not the case here. As somebody who added those checks in most of the code personally, I can tell you not bailing out but returning false on is_file would not make security of this function worse in any way. I know why it happens - because it has been treated as a type error (which was a nice hack but in retrospect probably not the most correct way) and then we decided to make type error throw and the fact that this is not actually a type came to bite us in the butt. I think the solution for this is to refactor this code and separate null checks from type checks. It was a nice hack for the time, but its time has expired. > if you ever reach that exception you have a stacktrace up to the point > where you should have stopped proceed at all Nope, there's no reason to stop processing when I check whether a random string signifies valid files. There might be a reason to stop processing later, after I discovered it is not, or continue processing, depending on the code intent - e.g. use alternative filename, or the default, or different code path. Exploding functions take this ability from me as an author of the code. So I will be forced to take it back by replacing every use of is_file with safe_is_file which would catch the exception and return false. Which just adds work for me which I hadn't to do before. That's not how the language should evolve - it shouldn't make things that are now easy harder. -- Stas Malyshev smalyshev@gmail.com