Fix GH-14481: realpath() and SplFileInfo::getRealPath inside Phar#21883
Open
iliaal wants to merge 1 commit intophp:masterfrom
Open
Fix GH-14481: realpath() and SplFileInfo::getRealPath inside Phar#21883iliaal wants to merge 1 commit intophp:masterfrom
iliaal wants to merge 1 commit intophp:masterfrom
Conversation
realpath() and SplFileInfo::getRealPath() route directly through VCWD_REALPATH, which has no notion of stream wrappers. For a phar:// URL the call chain treats the URI as relative, prepends CWD, and stat()s a nonsense path, so existing entries inside a Phar return false even though file_exists()/is_file()/include all see them. Before VCWD_REALPATH, look up the stream wrapper for the path. If a non-plain, non-URL wrapper supplies url_stat and reports SUCCESS, return the input string; on FAILURE, return false. Plain paths (and file:// URLs that resolve back to the plain-files wrapper) keep the existing VCWD_REALPATH semantics: realpath cache, ZTS access guard, and open_basedir check. For phar URLs, open_basedir is enforced by the wrapper's own url_stat, matching how is_file() and file_exists() behave today. The !wrapper->is_url guard keeps URL-style wrappers (http://, ftp://, data://, user wrappers registered with STREAM_IS_URL) on the existing false return so realpath() does not gain network or third-party url_stat side effects. In-tree, only phar matches the new branch. User wrappers registered without STREAM_IS_URL that implement url_stat will now have url_stat called from realpath(). PharFileInfo, SplFileObject, DirectoryIterator, RecursiveDirectoryIterator, and FilesystemIterator inherit SplFileInfo::getRealPath and pick up the fix. Closes phpGH-14481
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
realpath()andSplFileInfo::getRealPath()route directly throughVCWD_REALPATH, which has no notion of stream wrappers. For aphar://URL the chain treats the URI as relative, prepends CWD, andstat()s a nonsense path, so existing entries inside a Phar returnfalseeven thoughfile_exists()/is_file()/includeall see them.Before
VCWD_REALPATH, look up the stream wrapper for the path. If a non-plain, non-URL wrapper suppliesurl_statand reports SUCCESS, return the input string; on FAILURE, returnfalse. Plain paths (andfile://URLs that resolve back to the plain-files wrapper) keep the existingVCWD_REALPATHsemantics: realpath cache, ZTS access guard, andopen_basedircheck. For phar URLs,open_basediris enforced by the wrapper's ownurl_stat, matching howis_file()andfile_exists()behave today.The
!wrapper->is_urlguard scopes the new path to local-style wrappers. URL-style wrappers (http://,ftp://,data://, user wrappers registered withSTREAM_IS_URL) keep returningfalse, sorealpath()does not gain network or third-partyurl_statside effects. In-tree, only phar matches the new branch. User wrappers registered withoutSTREAM_IS_URLthat implementurl_statwill now haveurl_statcalled fromrealpath().PharFileInfo,SplFileObject,DirectoryIterator,RecursiveDirectoryIterator, andFilesystemIteratorinheritSplFileInfo::getRealPathand pick up the fix.stream_resolve_include_path()is intentionally untouched; it is an include-path search that uses the realpath cache, not URL canonicalisation.Fixes #14481