php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #74411 SplFileInfo::getRealPath() returns false if containing folder is unreadable
Submitted: 2017-04-11 08:18 UTC Modified: 2021-10-04 15:26 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: miklcct at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Filesystem function related
PHP Version: 7.1.3 OS: Windows 10
Private report: No CVE-ID: None
 [2017-04-11 08:18 UTC] miklcct at gmail dot com
Description:
------------
On Windows, SplFileInfo::getRealPath() returns false if the containing folder is not readable even if the file itself is readable. This breaks in typical usage scenario where a SplFileInfo object is constructed using an uploaded file in temporary folder on Windows because the temporary folder in Windows is not readable by default, but creating files are allowed inside.

To reproduce, follow the below steps:
1. Make directory C:\dir
2. Make file C:\dir\file and put some text inside
3. Run the script, ensure that the second var_dump returns the path
4. Add an NTFS permission entry on C:\dir saying "deny everyone on this folder only advanced permission list folder / read data"
5. Run the script again


Test script:
---------------
<?php
$path = 'C:\dir\file';
$file = new SplFileInfo($path);
var_dump(file_get_contents($path));
var_dump($file);
var_dump($file->getRealPath());

Expected result:
----------------
Output similar to the below on both runs:

M:\splfileinfo_bug.php:4:
string(5) "test
"
M:\splfileinfo_bug.php:5:
class SplFileInfo#1 (2) {
  private $pathName =>
  string(11) "C:\dir\file"
  private $fileName =>
  string(4) "file"
}
M:\splfileinfo_bug.php:6:
string(11) "C:\dir\file"

Actual result:
--------------
After denying permission, the script outputs:

M:\splfileinfo_bug.php:4:
string(5) "test
"
M:\splfileinfo_bug.php:5:
class SplFileInfo#1 (2) {
  private $pathName =>
  string(11) "C:\dir\file"
  private $fileName =>
  string(4) "file"
}
M:\splfileinfo_bug.php:6:
bool(false)

Note that the file is readable but SplFileInfo::getRealPath() returns false.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-11 13:51 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2017-04-11 13:51 UTC] cmb@php.net
It seems to me that is rather a documentation issue, as for
realpath() it is already noted[1] that:

| The running script must have executable permissions on all
| directories in the hierarchy, otherwise realpath() will return
| FALSE.

[1] <http://php.net/manual/en/function.realpath.php#refsect1-function.realpath-returnvalues>
 [2017-04-11 14:02 UTC] miklcct at gmail dot com
I don't think it is a documentation issue, because
1. I'm using SplFileInfo, not bare functions. What the bare functions do is completely irrelevant to me.

2. Even it replicates the behaviour of that function, I have only denied the list content (read) permission but not traverse folder (execute) permission.
 [2017-05-02 17:44 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-05-02 17:44 UTC] ab@php.net
What are the exact ACLs on the folder and the file?

Thanks.
 [2017-05-08 04:14 UTC] miklcct at gmail dot com
-Status: Feedback +Status: Open
 [2017-05-08 04:14 UTC] miklcct at gmail dot com
Folder permission:
All but list folder / read data

File permission:
Full control
 [2021-10-04 15:26 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-10-04 15:26 UTC] cmb@php.net
> I'm using SplFileInfo, not bare functions. What the bare
> functions do is completely irrelevant to me.

Both use the same underlying implementation.

> Folder permission:
> All but list folder / read data

But these are required[1].  That might be something we want to
change in the future, but shouldn't in a a stable version.

So, basically, this is a duplicate of bug #43817.

[1] <https://bugs.php.net/bug.php?id=43817#1632409714>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC