php · Girgias · Jul 17, 2025 · Jul 17, 2025
@@ -748,14 +748,12 @@ PHPAPI void php_stat(zend_string *filename, int type, zval *return_value)
 	const char *local = NULL;
 	php_stream_wrapper *wrapper = NULL;
 
+	ZEND_ASSERT(!zend_str_has_nul_byte(filename));
+	/* Quick check for empty file paths */
+	if (!ZSTR_LEN(filename)) {
+		RETURN_FALSE;
+	}
 	if (IS_ACCESS_CHECK(type)) {
-		if (!ZSTR_LEN(filename) || zend_str_has_nul_byte(filename)) {
-			if (ZSTR_LEN(filename) && !IS_EXISTS_CHECK(type)) {
-				php_error_docref(NULL, E_WARNING, "Filename contains null byte");
-			}
-			RETURN_FALSE;
-		}
-
 		if ((wrapper = php_stream_locate_url_wrapper(ZSTR_VAL(filename), &local, 0)) == &php_plain_files_wrapper
 				&& php_check_open_basedir(local)) {
 			RETURN_FALSE;
@@ -817,13 +815,6 @@ PHPAPI void php_stat(zend_string *filename, int type, zval *return_value)
 		}
 
 		if (!wrapper) {
-			if (!ZSTR_LEN(filename) || zend_str_has_nul_byte(filename)) {
-				if (ZSTR_LEN(filename) && !IS_EXISTS_CHECK(type)) {
-					php_error_docref(NULL, E_WARNING, "Filename contains null byte");
-				}
-				RETURN_FALSE;
-			}
-
 			if ((wrapper = php_stream_locate_url_wrapper(ZSTR_VAL(filename), &local, 0)) == &php_plain_files_wrapper
 			 && php_check_open_basedir(local)) {
 				RETURN_FALSE;
@@ -1014,7 +1005,7 @@ ZEND_NAMED_FUNCTION(name) { \
 	zend_string *filename; \
 	\
 	ZEND_PARSE_PARAMETERS_START(1, 1) \
-		Z_PARAM_STR(filename) \
+		Z_PARAM_PATH_STR(filename) \
 	ZEND_PARSE_PARAMETERS_END(); \
 	\
 	php_stat(filename, funcnum, return_value); \

@@ -6,7 +6,11 @@ Andrew van der Stock, vanderaj @ owasp.org
 <?php
 
 $filename = __FILE__ . chr(0). ".ridiculous";
-var_dump(file_exists($filename));
+try {
+    var_dump(file_exists($filename));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
 ?>
 --EXPECT--
-bool(false)
+ValueError: file_exists(): Argument #1 ($filename) must not contain any null bytes
@@ -0,0 +1,14 @@
+--TEST--
+filegroup() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(filegroup("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: filegroup(): Argument #1 ($filename) must not contain any null bytes
@@ -26,10 +26,6 @@ $files_arr = array(
   "//filegroup_variation3//filegroup_variation3.tmp",
   "/filegroup_variation3/*.tmp",
   "filegroup_variation3/filegroup*.tmp",
-
-  /* Testing Binary safe */
-  "/filegroup_variation3/filegroup_variation3.tmp".chr(0),
-  "/filegroup_variation3/filegroup_variation3.tmp\0"
 );
 
 $count = 1;
@@ -74,13 +70,5 @@ bool(false)
 
 Warning: filegroup(): stat failed for %s/filegroup_variation3/filegroup*.tmp in %s on line %d
 bool(false)
-- Iteration 7 -
-
-Warning: filegroup(): Filename contains null byte in %s on line %d
-bool(false)
-- Iteration 8 -
-
-Warning: filegroup(): Filename contains null byte in %s on line %d
-bool(false)
 
 *** Done ***
@@ -0,0 +1,14 @@
+--TEST--
+fileinode() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(fileinode("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: fileinode(): Argument #1 ($filename) must not contain any null bytes
@@ -25,10 +25,6 @@ $files_arr = array(
   "//fileinode_variation3//fileinode_variation3.tmp",
   "/fileinode_variation3/*.tmp",
   "fileinode_variation3/fileinode*.tmp",
-
-  /* Testing Binary safe */
-  "/fileinode_variation3/fileinode_variation3.tmp".chr(0),
-  "/fileinode_variation3/fileinode_variation3.tmp\0"
 );
 
 $count = 1;
@@ -73,13 +69,5 @@ bool(false)
 
 Warning: fileinode(): stat failed for %s/fileinode_variation3/fileinode*.tmp in %s on line %d
 bool(false)
-- Iteration 7 -
-
-Warning: fileinode(): Filename contains null byte in %s on line %d
-bool(false)
-- Iteration 8 -
-
-Warning: fileinode(): Filename contains null byte in %s on line %d
-bool(false)
 
 *** Done ***
@@ -0,0 +1,14 @@
+--TEST--
+fileowner() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(fileowner("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: fileowner(): Argument #1 ($filename) must not contain any null bytes
@@ -26,10 +26,6 @@ $files_arr = array(
   "//fileowner_variation3//fileowner_variation3.tmp",
   "/fileowner_variation3/*.tmp",
   "fileowner_variation3/fileowner*.tmp",
-
-  /* Testing Binary safe */
-  "/fileowner_variation3/fileowner_variation3.tmp".chr(0),
-  "/fileowner_variation3/fileowner_variation3.tmp\0"
 );
 
 $count = 1;
@@ -74,13 +70,5 @@ bool(false)
 
 Warning: fileowner(): stat failed for %s/fileowner_variation3/fileowner*.tmp in %s on line %d
 bool(false)
-- Iteration 7 -
-
-Warning: fileowner(): Filename contains null byte in %s on line %d
-bool(false)
-- Iteration 8 -
-
-Warning: fileowner(): Filename contains null byte in %s on line %d
-bool(false)
 
 *** Done ***
@@ -0,0 +1,14 @@
+--TEST--
+fileperms() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(fileperms("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: fileperms(): Argument #1 ($filename) must not contain any null bytes
@@ -25,10 +25,6 @@ $files_arr = array(
   "//fileperms_variation3//fileperms_variation3.tmp",
   "/fileperms_variation3/*.tmp",
   "fileperms_variation3/fileperms*.tmp",
-
-  /* Testing Binary safe */
-  "/fileperms_variation3/fileperms_variation3.tmp".chr(0),
-  "/fileperms_variation3/fileperms_variation3.tmp\0"
 );
 
 $count = 1;
@@ -73,13 +69,5 @@ bool(false)
 
 Warning: fileperms(): stat failed for %s/fileperms_variation3/fileperms*.tmp in %s on line %d
 bool(false)
-- Iteration 7 -
-
-Warning: fileperms(): Filename contains null byte in %s on line %d
-bool(false)
-- Iteration 8 -
-
-Warning: fileperms(): Filename contains null byte in %s on line %d
-bool(false)
 
 *** Done ***
@@ -0,0 +1,14 @@
+--TEST--
+is_dir() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(is_dir("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: is_dir(): Argument #1 ($filename) must not contain any null bytes
@@ -23,10 +23,6 @@ $dirs_arr = array(
   "./is_dir_variation4//",
   ".//is_dir_variation4//",
   "is_dir_vari*",
-
-  /* Testing Binary safe */
-  "./is_dir_variation4/".chr(0),
-  "is_dir_variation4\0"
 );
 
 $count = 1;
@@ -75,10 +71,4 @@ bool(true)
 -- Iteration 8 --
 bool(false)
 
--- Iteration 9 --
-bool(false)
-
--- Iteration 10 --
-bool(false)
-
 *** Done ***
@@ -0,0 +1,14 @@
+--TEST--
+is_executable() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(is_executable("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: is_executable(): Argument #1 ($filename) must not contain any null bytes
@@ -33,11 +33,6 @@ $files_arr = array(
   "$file_path/is_executable_variation1/*.tmp",
   "$file_path/is_executable_variation1/b*.tmp",
 
-  /* Testing Binary safe */
-  "$file_path/is_executable_variation1".chr(0)."bar.temp",
-  "$file_path".chr(0)."is_executable_variation1/bar.temp",
-  "$file_path/is_executable_variation1x000/",
-
   /* Testing directories */
   ".",  // current directory, exp: bool(true)
   "$file_path/is_executable_variation1"  // temp directory, exp: bool(true)
@@ -76,13 +71,7 @@ bool(false)
 -- Iteration 5 --
 bool(false)
 -- Iteration 6 --
-bool(false)
--- Iteration 7 --
-bool(false)
--- Iteration 8 --
-bool(false)
--- Iteration 9 --
 bool(true)
--- Iteration 10 --
+-- Iteration 7 --
 bool(true)
 Done
@@ -0,0 +1,14 @@
+--TEST--
+is_file() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(is_file("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: is_file(): Argument #1 ($filename) must not contain any null bytes
@@ -23,10 +23,6 @@ $files_arr = array(
   "//is_file_variation4//is_file_variation4.tmp",
   "/is_file_variation4/*.tmp",
   "is_file_variation4/is_file*.tmp",
-
-  /* Testing Binary safe */
-  "/is_file_variation4/is_file_variation4.tmp".chr(0),
-  "/is_file_variation4/is_file_variation4.tmp\0"
 );
 
 $count = 1;
@@ -65,9 +61,5 @@ bool(true)
 bool(false)
 - Iteration 6 -
 bool(false)
-- Iteration 7 -
-bool(false)
-- Iteration 8 -
-bool(false)
 
 *** Done ***
@@ -0,0 +1,14 @@
+--TEST--
+is_readable() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(is_readable("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: is_readable(): Argument #1 ($filename) must not contain any null bytes
@@ -32,11 +32,6 @@ $files_arr = array(
   "$file_path/is_readable_variation1/*.tmp",
   "$file_path/is_readable_variation1/b*.tmp",
 
-  /* Testing Binary safe */
-  "$file_path/is_readable_variation1".chr(0)."bar.tmp",
-  "$file_path".chr(0)."is_readable_variation1/bar.tmp",
-  "$file_path".chr(0)."is_readable_variation1/bar.tmp",
-
   /* Testing directories */
   ".",  // current directory, exp: bool(true)
   "$file_path/is_readable_variation1"  // temp directory, exp: bool(true)
@@ -77,13 +72,7 @@ bool(false)
 -- Iteration 6 --
 bool(false)
 -- Iteration 7 --
-bool(false)
--- Iteration 8 --
-bool(false)
--- Iteration 9 --
-bool(false)
--- Iteration 10 --
 bool(true)
--- Iteration 11 --
+-- Iteration 8 --
 bool(true)
 Done
@@ -0,0 +1,14 @@
+--TEST--
+is_writable() with filenames with null bytes
+--FILE--
+<?php
+
+try {
+    var_dump(is_writable("file_with_null_byte.tmp\0"));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+ValueError: is_writable(): Argument #1 ($filename) must not contain any null bytes