Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112367
Return-Path: <norbert@aimeos.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83385 invoked from network); 2 Dec 2020 09:53:45 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 2 Dec 2020 09:53:45 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C359D18053A
	for <internals@lists.php.net>; Wed,  2 Dec 2020 01:21:23 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <norbert@aimeos.com>
Received: from dd46610.kasserver.com (dd46610.kasserver.com [85.13.163.220])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  2 Dec 2020 01:21:22 -0800 (PST)
Received: from [192.168.178.23] (dynamic-077-008-187-045.77.8.pool.telefonica.de [77.8.187.45])
	by dd46610.kasserver.com (Postfix) with ESMTPSA id 4737F5F805FC
	for <internals@lists.php.net>; Wed,  2 Dec 2020 10:21:21 +0100 (CET)
To: PHP internals <internals@lists.php.net>
References: <b845d5bf-63da-d564-1f0f-cc934188d693@aimeos.com>
 <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de>
Organization: Aimeos GmbH
Message-ID: <bd444642-6a18-d41a-858d-f7273e3ac1ad@aimeos.com>
Date: Wed, 2 Dec 2020 10:21:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: PHP 8 is_file/is_dir and imagecreatefromstring()
From: norbert@aimeos.com (Aimeos | Norbert Sendetzky)

Am 01.12.20 um 18:24 schrieb Christoph M. Becker:
> On 01.12.2020 at 18:18, Aimeos | Norbert Sendetzky wrote:
> 
>> PHP 8 is stricter in checking input data then PHP 7. This is good but
>> has some side effects for is_file(), is_dir() and similar functions when
>> invalid paths are passed for checking.
>>
>> In PHP 7, this returns FALSE:
>>
>> php -r 'var_dump(is_file("ab\0c"));'
>>
>> In PHP 8, the same code throws a ValueException. Problem is now that
>> it's not possible to check upfront if the passed argument is a valid
>> path to avoid the exception being thrown.
> 
> This is only about the NUL byte in the filename.  You can easily check
> for that yourself. :)

If it's the only check that would throw a ValueException, then yes -
even if I think that is_file() should only return true/false to avoid
blown up code for checks that should be done by is_file().

Now have a look at GD imagecreatefromstring() which has almost the same
issue. If you use:

php -r 'var_dump(imagecreatefromstring('some data'));'

you will get in PHP 7:

PHP Warning:  imagecreatefromstring(): Empty string or invalid image in
Command line code on line 1
PHP Stack trace:
PHP   1. {main}() Command line code:0
PHP   2. imagecreatefromstring() Command line code:1
Command line code:1:
bool(false)

and in PHP 8:

PHP Fatal error:  Uncaught ValueError: imagecreatefromstring(): Argument
#1 ($data) cannot be empty in Command line code:1
Stack trace:
#0 Command line code(1): imagecreatefromstring()
#1 {main}
  thrown in Command line code on line 1

How would you check the string upfront to be a valid image to avoid the
ValueException there?

Also, the error in PHP 8 is wrong because the string isn't empty but not
a valid image or not supported by GD.


Norbert