On 01.12.2020 at 18:35, Aimeos | Norbert Sendetzky wrote:
> Am 01.12.20 um 18:24 schrieb Christoph M. Becker:
>>
>>> In PHP 7, this returns FALSE:
>>>
>>> php -r 'var_dump(is_file("ab\0c"));'
>>>
>>> In PHP 8, the same code throws a ValueException. Problem is now that
>>> it's not possible to check upfront if the passed argument is a valid
>>> path to avoid the exception being thrown.
>>
>> This is only about the NUL byte in the filename. You can easily check
>> for that yourself. :)
>
> There may be other checks that will throw a ValueException. I'm not sure
> how it's implemented in detail because the filestat.c file doesn't
> thrown an exception at all:
The exception is thrown from inside the parameter parsing routines
(zend_parse_parameters() and friends). Internal function differenciate
between string and path, whereas the latter is an arbitrary string which
does not contain NUL bytes.
It would likely make sense to document that. OTOH, it's probably a good
idea to check (almost) all user input for NUL bytes.
> https://github.com/php/php-src/blob/1e9db80d7264911fa4089cb7e4b3dc7f97b19c6e/ext/standard/filestat.c
>
> Can you tell me how you would check for NULL bytes?
See e.g. <https://3v4l.org/5WK3n>.
Regards,
Christoph
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
