php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #47315 is_file() MUST NOT be true on remote-files
Submitted: 2009-02-05 14:54 UTC Modified: 2009-02-05 16:43 UTC
From: spam2 at rhsoft dot net Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 5.2.8 OS:
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
5 + 20 = ?
Subscribe to this entry?

 
 [2009-02-05 14:54 UTC] spam2 at rhsoft dot net 
Description:
------------
> As of PHP 5.0.0, this function can also be used with some URL 
> wrappers. Refer to List of Supported Protocols/Wrappers for 
> a listing of which wrappers support stat() family of functionality.

Which fool has decided to make such a MAJOR-CHANGE for functions like "is_file()" as default instead of enable this only with a new optional parameter?

You will break EVERY check in applications if the given path is a local file! Revert this completly or add a parameter to enable it
Has anybody ever thougt that this can make SECURITY-PROBLEMS in some cases? 

I hope no one wites a new function like "is_real_file" as seen at "mysql_escape_string/mysql_real_escape_string", this is crap and sometimes i wonder why many people are not thinking before doing!

Reproduce code:
---------------
$path = 'ftp://user:pwd@host/file.txt';
if(is_file($path))                                   
{                                                    
 echo 'yes';              
}                                                    
else
{
 echo 'no';
}


Expected result:
----------------
no

Actual result:
--------------
yes

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-05 15:10 UTC] scottmac@php.net 
Wow only 6 years too late for suggested changes. Changes were made to use streams, the end.
 [2009-02-05 15:40 UTC] spam2 at rhsoft dot net 
Foolish idiot in the last available german doku is until today no hint
http://www.php.net/manual/de/function.is-file.php
Hinweis: Diese Funktion kann nicht mit entfernten Dateien arbeiten, da der Zugriff auf
die Datei, die bearbeitet werden soll, ?ber das Dateisystem des Servers m?glich sein muss.

This means it DOES NOT support remote-files, this was years along fact
is documentaded and used at many locations until today and some idiots
think it's cool to make it impossilbe to check if you work with a local
or a remote file.....

Wow, only 6 years too late to refresh the documentation and if
you i should use the english one - WHY does a german one exists?

Only idiots are making such major changes without thinking what this
can mean for existing applications and to make this joke perfect
it works with some streams (ftp) and some other not (http)
Again: How stupid must a guy be to create such a crap?

And yes i know that i'm not friendly because stupid people
are making me angry - everytime and everywehre!

Even if its documentated - how check if path is local or remote
even if you change the application?
 [2009-02-05 15:45 UTC] scottmac@php.net 
We're sorry that you're an asshole and feel unhappy with PHP which is an open source project. Feel free to submit some updates to the German manual if you have time.
 [2009-02-05 16:12 UTC] spam2 at rhsoft dot net 
What do you think to get as answer to "Wow only 6 years too late for suggested changes"? How do you think should i smell this idiotic-change?

I noticed this while reading a security-news about the break-in in the phpBB server and the second comment from stefan esser pointed at this problem.

My last test remote/local file was to a http-url did what i think
NOBODY can smell that ftp-URLs does other things and so this idiotic change will not be noticed from > 90% of all developers but can hit a application if a exploit knows about it and the attacker places his files on a ftp-server instead of http
 [2009-02-05 16:43 UTC] scottmac@php.net 
is_file() works on any string that allows a stat calls, this includes archives, ftp, sftp or the local file system. If you can use the file functions to read it you should be able to stat it.

If you are looking to test things on the local system you're probably looking for realpath() to resolve the path on the local filesystem. Or maybe just a check to make sure that the path doesn't have a protocol at the start.

Finally, you should realise that PHP is run by volunteers. It's an open source project and being aggressive towards any contributor won't get you anywhere. It's likely to get a inflammatory response and zero help.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 01 04:01:36 2025 UTC