php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #74411 SplFileInfo::getRealPath() returns false if containing folder is unreadable
Submitted: 2017-04-11 08:18 UTC Modified: 2021-10-04 15:26 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: miklcct at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Filesystem function related
PHP Version: 7.1.3 OS: Windows 10
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: miklcct at gmail dot com
New email:
PHP Version: OS:

 

 [2017-04-11 08:18 UTC] miklcct at gmail dot com
Description:
------------
On Windows, SplFileInfo::getRealPath() returns false if the containing folder is not readable even if the file itself is readable. This breaks in typical usage scenario where a SplFileInfo object is constructed using an uploaded file in temporary folder on Windows because the temporary folder in Windows is not readable by default, but creating files are allowed inside.

To reproduce, follow the below steps:
1. Make directory C:\dir
2. Make file C:\dir\file and put some text inside
3. Run the script, ensure that the second var_dump returns the path
4. Add an NTFS permission entry on C:\dir saying "deny everyone on this folder only advanced permission list folder / read data"
5. Run the script again


Test script:
---------------
<?php
$path = 'C:\dir\file';
$file = new SplFileInfo($path);
var_dump(file_get_contents($path));
var_dump($file);
var_dump($file->getRealPath());

Expected result:
----------------
Output similar to the below on both runs:

M:\splfileinfo_bug.php:4:
string(5) "test
"
M:\splfileinfo_bug.php:5:
class SplFileInfo#1 (2) {
  private $pathName =>
  string(11) "C:\dir\file"
  private $fileName =>
  string(4) "file"
}
M:\splfileinfo_bug.php:6:
string(11) "C:\dir\file"

Actual result:
--------------
After denying permission, the script outputs:

M:\splfileinfo_bug.php:4:
string(5) "test
"
M:\splfileinfo_bug.php:5:
class SplFileInfo#1 (2) {
  private $pathName =>
  string(11) "C:\dir\file"
  private $fileName =>
  string(4) "file"
}
M:\splfileinfo_bug.php:6:
bool(false)

Note that the file is readable but SplFileInfo::getRealPath() returns false.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-11 13:51 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2017-04-11 13:51 UTC] cmb@php.net
It seems to me that is rather a documentation issue, as for
realpath() it is already noted[1] that:

| The running script must have executable permissions on all
| directories in the hierarchy, otherwise realpath() will return
| FALSE.

[1] <http://php.net/manual/en/function.realpath.php#refsect1-function.realpath-returnvalues>
 [2017-04-11 14:02 UTC] miklcct at gmail dot com
I don't think it is a documentation issue, because
1. I'm using SplFileInfo, not bare functions. What the bare functions do is completely irrelevant to me.

2. Even it replicates the behaviour of that function, I have only denied the list content (read) permission but not traverse folder (execute) permission.
 [2017-05-02 17:44 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-05-02 17:44 UTC] ab@php.net
What are the exact ACLs on the folder and the file?

Thanks.
 [2017-05-08 04:14 UTC] miklcct at gmail dot com
-Status: Feedback +Status: Open
 [2017-05-08 04:14 UTC] miklcct at gmail dot com
Folder permission:
All but list folder / read data

File permission:
Full control
 [2021-10-04 15:26 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-10-04 15:26 UTC] cmb@php.net
> I'm using SplFileInfo, not bare functions. What the bare
> functions do is completely irrelevant to me.

Both use the same underlying implementation.

> Folder permission:
> All but list folder / read data

But these are required[1].  That might be something we want to
change in the future, but shouldn't in a a stable version.

So, basically, this is a duplicate of bug #43817.

[1] <https://bugs.php.net/bug.php?id=43817#1632409714>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 06:01:30 2024 UTC