Trailing multi dots in filenames are ignored in Windows

[tsybot]

Description

Additional dots ignored windows Windows treats filenames with trailing dots in a special way, namely that these are basically ignored by most APIs.
But, anyway on windows we can create this files with prefix "\\?\", for example:

ECHO 123> \\?\C:\app\flag.txt....

Check file is created

C:\app>dir
 Volume in drive C has no label.
 Volume Serial Number is F6CA-D975

 Directory of C:\app

07/03/2024  07:53 AM    <DIR>          .
06/23/2024  03:03 PM    <DIR>          ..
07/03/2024  07:53 AM                 5 flag.txt....

So file exists but realpath function not find it, and functions who use VCWD_REALPATH iside same not found it and open_basedir check can not passed because use VCWD_REALPATH

<?php
var_dump(realpath("C:\\app\\flag.txt...."));
var_dump(bindtextdomain('xxx', "C:\\app\\flag.txt...."));
var_dump(file_get_contents("C:\\app\\flag.txt...."));

try to use "\\?\" prefix

<?php
var_dump(realpath("\\\\?\\C:\\app\\flag.txt...."));
var_dump(bindtextdomain('xxx', "\\\\?\\C:\\app\\flag.txt...."));
var_dump(file_get_contents("\\\\?\\C:\\app\\flag.txt...."));

Resulted in this output:

bool(false)
bool(false)
Warning: file_get_contents(C:\app\flag.txt....): Failed to open stream: No such file or directory in C:\app\test.php on line 3
bool(false)

bool(false)
bool(false)
Warning: file_get_contents(\\?\C:\app\flag.txt....): Failed to open stream: No such file or directory in C:\app\test.php on line 3
bool(false)

But I expected this output instead:

string(19) "C:\app\flag.txt...."
string(19) "C:\app\flag.txt...."
string(3) "123"

string(19) "C:\app\flag.txt...."
string(19) "C:\app\flag.txt...."
string(3) "123"

If we enable open_basedir and set it to C:\app\ it falied on open_basedir check with prefix "\\?\"

<?php
var_dump(file_get_contents("C:\\app\\flag.txt...."));
var_dump(file_get_contents("\\\\?\\C:\\app\\flag.txt...."));

Warning: file_get_contents(C:\app\flag.txt....): Failed to open stream: No such file or directory in C:\app\test.php on line 1
bool(false)
Warning: file_get_contents(): open_basedir restriction in effect. File(\\?\C:\app\flag.txt....) is not within the allowed path(s): (C:\\app\\) in C:\app\test.php on line 2
Warning: file_get_contents(\\?\C:\app\flag.txt....): Failed to open stream: Operation not permitted in C:\app\test.php on line 2
bool(false)

All function who use open_basedir check fail to check if use "\\?\" prefix, but if open_basedir not set functions: is_readable,file_exists,is_writable,filesize,fileatime .. maybe more - is working prefect with "\\?\" prefix,, im not check all functions.
Not working functions: realpath,file_get_contents,bindtextdomain,readfile,file,opcache_invalidate,SplFileInfo->getRealPath ... maybe more

PHP Version

PHP 8.3.6

Operating System

Windows Server 2022

[cmb69]

So far I've only looked into NTS builds (ZTS builds may behave somewhat differently). There are at least two issues:

php-src/Zend/zend_virtual_cwd.c

Lines 1099 to 1103 in 4fcbdea

	if (memchr(resolved_path, '*', path_length) ||
	memchr(resolved_path, '?', path_length)) {
	SET_ERRNO_FROM_WIN32_CODE(ERROR_INVALID_NAME);
	return 1;
	}

This is code is meant to avoid issues with wildcard characters when FindFirstFile() is called; that is important, but also breaks support for UNC paths (well, actually these are called DOS device paths).

And then there is

php-src/win32/ioutil.h

Lines 196 to 206 in 4fcbdea

	/* Only prefix with long if it's needed. */
	if (dir_len + mb_len >= _MAX_PATH) {
	size_t new_mb_len;
	ret = (wchar_t *) malloc((dir_len + mb_len + PHP_WIN32_IOUTIL_LONG_PATH_PREFIX_LENW + 1) * sizeof(wchar_t));
	if (!ret) {
	free(mb);
	return NULL;
	}
	if (PHP_WIN32_IOUTIL_NORM_FAIL == php_win32_ioutil_normalize_path_w(&mb, mb_len, &new_mb_len)) {

php_win32_ioutil_normalize_path_w() removes the first leading backslash from the DOS device path, so in the following the file can't be accessed, because the filename is indeed wrong. I don't see any point in even entering the if-body for UNC paths, because there is no need to touch these.

With some quick fixes for these two issues, file_get_contents(), realpath() and bindtextdomain() work fine for a file with trailing dots, if the DOS device path is used; they still fails for the "regular" filename.

I need to do further checks, but it seems to me that we may introduce an aliasing issue regarding the realpath cache and open_basedir. At least with my quick patch applied, I get duplicate entries in the realpath cache (always a pair with "regular" and DOS device path). Furtunately, the code in zend_virtual_cwd.c is easy to grasp, and changes to ioutil.h don't require a full rebuild. Not.