Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112366
Return-Path: <harry@rhsoft.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79044 invoked from network); 2 Dec 2020 09:17:05 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 2 Dec 2020 09:17:05 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id F0F571804C9
	for <internals@lists.php.net>; Wed,  2 Dec 2020 00:44:42 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <harry@rhsoft.net>
Received: from mail.thelounge.net (mail.thelounge.net [91.118.73.15])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  2 Dec 2020 00:44:42 -0800 (PST)
Received: from srv-rhsoft.rhsoft.net (rh.vpn.thelounge.net [10.10.10.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: h.reindl@thelounge.net)
	by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 4CmCFg55zLzXVy;
	Wed,  2 Dec 2020 09:44:39 +0100 (CET)
To: Christian Schneider <cschneid@cschneid.com>
Cc: PHP Internals List <internals@lists.php.net>
References: <b845d5bf-63da-d564-1f0f-cc934188d693@aimeos.com>
 <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de>
 <CAN2symjht9iZLDhYEKCYb9V7B4xEoHBG8MFMoAVQS55OKzWC7Q@mail.gmail.com>
 <CAFPFaM+Np_jQgDFr8vV8TofYyLMZ0EDWmt3+yr1_KQzJTbW6MQ@mail.gmail.com>
 <CAFPFaMLULyFB0R14rQGCPmzZdXUSg81rHJQEQPRK2C6tDK6__w@mail.gmail.com>
 <cf5d6d15-a50c-caba-79fd-a615391121dc@aimeos.com>
 <3dd3c22d-0959-5425-46b1-dade4ac75b00@rhsoft.net>
 <f433784d-41bf-6a22-e34b-4d0f8b57f925@gmail.com>
 <d0b78b71-e8f3-0e50-c934-71aa8fc2cfe1@rhsoft.net>
 <23E6CF0B-77EF-4358-9576-BCB7919154A5@cschneid.com>
Organization: RH Software
Message-ID: <241c41a0-74ec-1356-62b4-8aa2016b86fb@rhsoft.net>
Date: Wed, 2 Dec 2020 09:44:39 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <23E6CF0B-77EF-4358-9576-BCB7919154A5@cschneid.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 8 is_file/is_dir input handling
From: harry@rhsoft.net ("Reindl Harald (privat)")



Am 02.12.20 um 09:18 schrieb Christian Schneider:
> Am 01.12.2020 um 21:13 schrieb Reindl Harald (privat) <harry@rhsoft.net>:
>> Am 01.12.20 um 21:09 schrieb Stanislav Malyshev:
>>>> we are running error_reporting E_ALL for 17 years now and don't
>>>> distinct between notice / warning / error, it has to be fixed -
>>>> period
>>> Surely you do. Your code continues to run after warning/notice but stops
>>> after the error. It's impossible to ignore that. Unless you have an
>>> error handler that does exit() after a notice (which I have hard time
>>> believing, honestly, but who knows), there is a very major distinction.
>>
>> my server would trigger a mail every 15 minutes wioth all warnings and notices to enforce fixing the issue
> 
> Out of curiosity: What is your fix?

https://en.wikipedia.org/wiki/Web_application_firewall and sanitize 
userinput while i don't see much legit usecases where userinout from 
outside makes it to is_file/is_dir without calling that a security issue 
anyways