Den 2020-12-01 kl. 20:57, skrev Stanislav Malyshev:
Hi!
Is a warning fine because null bytes indicate a potential attack as
in no
sane context should null bytes be passed around?
A warning is fine because it does what it's supposed to do - fails the
is_file check (which is literally only there to check if this string
specifies a valid filename) while not breaking the app. Exception
breaks the app.
So what we'll be seeing very soon is people creating userspace
safe_is_* wrappers that would work around this "functionality",
working against the language instead of being helped by it. This is
not how it should be.
One could add that here the PHP programmer need to do work that basically
replicate how the code worked earlier for little gain. Maybe one also
need to
take into account how likely it is that \0 is part of a filename.
So I wonder how much of a hurdle it is for PHP 8 migration? Especially
of one
has an application that needs to run on both PHP 7.x and PHP 8.
Think it would be good if a solution / conclusion is found for PHP 8.0.1.
r//Björn Larsson
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
