Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112385
Return-Path: <bjorn.x.larsson@telia.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61232 invoked from network); 2 Dec 2020 23:10:30 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 2 Dec 2020 23:10:30 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4D0C41804DD
	for <internals@lists.php.net>; Wed,  2 Dec 2020 14:38:17 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <bjorn.x.larsson@telia.com>
Received: from v-smtpout1.han.skanova.net (v-smtpout1.han.skanova.net [81.236.60.154])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  2 Dec 2020 14:38:16 -0800 (PST)
Received: from [192.168.7.5] ([213.64.245.126])
	by cmsmtp with ESMTPA
	id kalKkVrjB3UCOkalKkW1b8; Wed, 02 Dec 2020 23:38:14 +0100
To: Stanislav Malyshev <smalyshev@gmail.com>
References: <b845d5bf-63da-d564-1f0f-cc934188d693@aimeos.com>
 <b546b5bf-27f8-62cc-cc4b-d859132998a4@gmx.de>
 <0774c293-afd7-d8b9-175f-217ed600d1ea@aimeos.com>
 <fad4cc49-0f40-53f1-400c-90ff01ffdccb@gmx.de>
 <CAN2symiHHJVGvaLYMD=Qes0Wy06dZRtzPeonNBUWOBRbiTdo5g@mail.gmail.com>
 <CAFPFaMLEdq0+hYkE49YVbcFvCt00rne6roApcoyY4aK=1ZHpuA@mail.gmail.com>
 <8a33dde2-f06c-640d-42bb-3e7af90fd5af@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Message-ID: <75b5b870-112a-f54e-1fd7-4d425ffa8000@telia.com>
Date: Wed, 2 Dec 2020 23:38:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <8a33dde2-f06c-640d-42bb-3e7af90fd5af@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
X-CMAE-Envelope: MS4wfEF6cXLIbGmyirXXQTkwDFNaeq+InQAurMT+IraQJjX2ZLlZjEIwZ9lFU6D2NrVWBxj116ZTFYVm/Fg7SVA4842xSC20XdiF5LIyEZFdX1WDkZNftpV6
 5PTnq7/R95keIjmLic3LbBZZVA1gjkLuNqwp7Iwm71hyyDmGSK1UE2XMCM/fvHx3dorZc2d5hdF1MlE5WbwGooyB8yEnJbnF+FQ=
Subject: Re: [PHP-DEV] Re: PHP 8 is_file/is_dir input handling
From: bjorn.x.larsson@telia.com (=?UTF-8?Q?Bj=c3=b6rn_Larsson?=)

Den 2020-12-01 kl. 20:57, skrev Stanislav Malyshev:

> Hi!
>
>> Is a warning fine because null bytes indicate a potential attack as 
>> in no
>> sane context should null bytes be passed around?
>
> A warning is fine because it does what it's supposed to do - fails the 
> is_file check (which is literally only there to check if this string 
> specifies a valid filename) while not breaking the app. Exception 
> breaks the app.
>
> So what we'll be seeing very soon is people creating userspace 
> safe_is_* wrappers that would work around this "functionality", 
> working against the language instead of being helped by it. This is 
> not how it should be.

One could add that here the PHP programmer need to do work that basically
replicate how the code worked earlier for little gain. Maybe one also 
need to
take into account how likely it is that \0 is part of a filename.

So I wonder how much of a hurdle it is for PHP 8 migration? Especially 
of one
has an application that needs to run on both PHP 7.x and PHP 8.

Think it would be good if a solution / conclusion is found for PHP 8.0.1.

r//Björn Larsson