php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79905 fopen() read-only streams in write mode doesn't fail
Submitted: 2020-07-28 11:37 UTC Modified: 2020-07-30 12:56 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: chokolatrix at gmail dot com Assigned:
Status: Open Package: Filesystem function related
PHP Version: 7.4.8 OS: WINDOWS
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-07-28 11:37 UTC] chokolatrix at gmail dot com
Description:
------------
PHP's fopen() should fail to:
- open read-only streams in write mode (STDIO in 'w' or other write modes)
- open write-only streams in read mode (STDOUT, STDERR etc. in 'r' or other read modes)

This was noticed because of Laravel's logging to stderr failing under Apache/2.4.29 (Win64) mod_fcgid/2.3.9 and PHP 7.4.8 x64 NTS. 

There is possibly a bug with Apache and FastCGI exposing STDERR as non-writable (normally writes STDERR to the error log), but Laravel logging code checks fopen() result being a stream before writing to it.



Test script:
---------------
<?php
# c:\my-site\test.php

error_reporting(E_ALL);
ini_set('display_errors','On');

$fp = fopen('php://stdin', 'w');
var_dump($fp);

$fp = fopen('php://stderr', 'r');
var_dump($fp);

if ($fp) {
    // this then fails on Apache + FastCGI - might be an Apache + FCGI bug causing stderr not to be writable
    fwrite($fp, "test");
} 


Expected result:
----------------
bool(false)
bool(false)


Actual result:
--------------
Notice: fwrite(): write of 4 bytes failed with errno=9 Bad file descriptor in test.php on line 7

resource(3) of type (stream)
resource(4) of type (stream)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-28 12:08 UTC] chokolatrix at gmail dot com
Related: https://bugs.php.net/bug.php?id=79166
 [2020-07-30 12:56 UTC] cmb@php.net
The fact that opening the 'output', 'input', 'stdin', 'stderr' and
'fd' protocols completly ignores the given $mode[1], looks
actually wrong to me.

However, on Windows with IIS *F*CGI there is usually no stderr
(nor stdout for that matter); all communication with the Webserver
is done through a pipe.  The fact that PHP allows to open
php://stderr is certainly a bug in this case.

[1] <https://github.com/php/php-src/blob/php-7.4.8/ext/standard/php_fopen_wrapper.c#L215-L341>
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Sep 22 05:01:30 2020 UTC