php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79905 fopen() read-only streams in write mode doesn't fail
Submitted: 2020-07-28 11:37 UTC Modified: 2020-07-30 12:56 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: chokolatrix at gmail dot com Assigned:
Status: Open Package: Filesystem function related
PHP Version: 7.4.8 OS: WINDOWS
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: chokolatrix at gmail dot com
New email:
PHP Version: OS:

 

 [2020-07-28 11:37 UTC] chokolatrix at gmail dot com
Description:
------------
PHP's fopen() should fail to:
- open read-only streams in write mode (STDIO in 'w' or other write modes)
- open write-only streams in read mode (STDOUT, STDERR etc. in 'r' or other read modes)

This was noticed because of Laravel's logging to stderr failing under Apache/2.4.29 (Win64) mod_fcgid/2.3.9 and PHP 7.4.8 x64 NTS. 

There is possibly a bug with Apache and FastCGI exposing STDERR as non-writable (normally writes STDERR to the error log), but Laravel logging code checks fopen() result being a stream before writing to it.



Test script:
---------------
<?php
# c:\my-site\test.php

error_reporting(E_ALL);
ini_set('display_errors','On');

$fp = fopen('php://stdin', 'w');
var_dump($fp);

$fp = fopen('php://stderr', 'r');
var_dump($fp);

if ($fp) {
    // this then fails on Apache + FastCGI - might be an Apache + FCGI bug causing stderr not to be writable
    fwrite($fp, "test");
} 


Expected result:
----------------
bool(false)
bool(false)


Actual result:
--------------
Notice: fwrite(): write of 4 bytes failed with errno=9 Bad file descriptor in test.php on line 7

resource(3) of type (stream)
resource(4) of type (stream)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-28 12:08 UTC] chokolatrix at gmail dot com
Related: https://bugs.php.net/bug.php?id=79166
 [2020-07-30 12:56 UTC] cmb@php.net
The fact that opening the 'output', 'input', 'stdin', 'stderr' and
'fd' protocols completly ignores the given $mode[1], looks
actually wrong to me.

However, on Windows with IIS *F*CGI there is usually no stderr
(nor stdout for that matter); all communication with the Webserver
is done through a pipe.  The fact that PHP allows to open
php://stderr is certainly a bug in this case.

[1] <https://github.com/php/php-src/blob/php-7.4.8/ext/standard/php_fopen_wrapper.c#L215-L341>
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Oct 30 05:02:34 2020 UTC