Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112383 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 50973 invoked from network); 2 Dec 2020 21:20:59 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 2 Dec 2020 21:20:59 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A092A1804C3 for ; Wed, 2 Dec 2020 12:48:44 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 2 Dec 2020 12:48:43 -0800 (PST) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 5B00D5C01BF for ; Wed, 2 Dec 2020 15:48:43 -0500 (EST) Received: from imap26 ([10.202.2.76]) by compute4.internal (MEProxy); Wed, 02 Dec 2020 15:48:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=ykXJyOvQEDIc1N4qH5Ve4DkQY3s5aXegfDezp3EVA eg=; b=QaEscyLALVkSD6O0mjrkmUons/dGpxLhxv2vHz+d6nHyv8Boz09ytJKvf jtt03XY/4OvZ0CIhD/CWQWEIdclab9M5cPQRuhbbN6XBZxaLEp/LyzHZfxTfi5s4 vzS96UT6N2NVQ5IUxWv3ReoPMZUma8WtGa/ZEflxNxJs5ZRUKMIxGA4nsLl7eiap GL864HJm/6kTusZexJt2RwtMj9ggcNaTqo7Xe1iGRgQuWjKjoVshBydYG7Xhftl1 Kfp5RZ+g6wb0VBgANfNtP0EPuxkeaRW0UNYXQYFVIGF7DAVHz3DLghF+/aEmxwFb /bg+L87lb//extlGTCAQe5wiEnDZg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeigedgudegvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfn rghrrhihucfirghrfhhivghlugdfuceolhgrrhhrhiesghgrrhhfihgvlhguthgvtghhrd gtohhmqeenucggtffrrghtthgvrhhnpeffffffjeffudfggeevvdeitdetvdfgjefffeff jeelfeejteevheeghffhvdfgleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehlrghrrhihsehgrghrfhhivghlughtvggthhdrtghomh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id CDF6614200A2; Wed, 2 Dec 2020 15:48:42 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-622-g4a97c0b-fm-20201115.001-g4a97c0b3 Mime-Version: 1.0 Message-ID: <8d324ed9-2267-4334-95dd-f840816629f0@www.fastmail.com> In-Reply-To: <23E6CF0B-77EF-4358-9576-BCB7919154A5@cschneid.com> References: <3dd3c22d-0959-5425-46b1-dade4ac75b00@rhsoft.net> <23E6CF0B-77EF-4358-9576-BCB7919154A5@cschneid.com> Date: Wed, 02 Dec 2020 14:48:22 -0600 To: "php internals" Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] PHP 8 is_file/is_dir input handling From: larry@garfieldtech.com ("Larry Garfield") On Wed, Dec 2, 2020, at 2:18 AM, Christian Schneider wrote: > Am 01.12.2020 um 21:13 schrieb Reindl Harald (privat) : > > Am 01.12.20 um 21:09 schrieb Stanislav Malyshev: > >>> we are running error_reporting E_ALL for 17 years now and don't > >>> distinct between notice / warning / error, it has to be fixed - > >>> period > >> Surely you do. Your code continues to run after warning/notice but = stops > >> after the error. It's impossible to ignore that. Unless you have an= > >> error handler that does exit() after a notice (which I have hard ti= me > >> believing, honestly, but who knows), there is a very major distinct= ion. > >=20 > > my server would trigger a mail every 15 minutes wioth all warnings a= nd notices to enforce fixing the issue >=20 > Out of curiosity: What is your fix? >=20 > Because we are running into this issue with fuzzers bombarding our=20 > website with all types of illegal parameters, string containing 0-byte= s=20 > amongst them. >=20 > Our solution was to basically throw away all user input containing=20 > 0-bytes (except $_FILES) which feels awkward but was the only way to=20= > avoid these messages (and in some cases exceptions) consistently. >=20 > Concerning the original question: > My personal preference in this specific case is Stas=E2=80=99 way: is_= file() is=20 > a low-level function and should simply return false for *anything*=20 > which is not a valid, existing filename. Having *everything* involving= =20 > paths warn/throw an exception when 0-bytes are involved is an overly=20= > broad generalization. >=20 > I challenge everybody to show me how changing is_file() to simply=20 > return false (while keeping more high-level functions like, say, popen= =20 > throwing an exception) leads to a security hole. >=20 > In my preferred world the following code would be both safe and=20 > guaranteed to report =E2=80=9EFile not found=E2=80=9C on any invalid i= nput: > If (is_file($filename)) > do_something($filename); > else > message("File not found=E2=80=9C); >=20 > I=E2=80=99ll try to put a PR together for FileFunction() because I thi= nk those=20 > functions should all handle 0-bytes like non-existing files. >=20 > - Chris I'm inclined to agree here. An is_*() function isn't asking why somethi= ng isn't a legit file; "missing" and "it's a stupid name anyway and it s= hould feel bad" and "the disk is missing" are all the same thing as far = as it's concerned. All it's asking is "if I try to open this file, shou= ld I expect it to work?" Having it throw an exception in some cases, it's understandable how that= ends up happening, but from a user/API point of view it's still incorre= ct. --Larry Garfield