In testing the Aura.Http package, I have realized that it's much more flexible, testing wise, to pass around file resources (a.k.a. handles, pointers, or streams) than it is to pass around file names. When you do that, you can use a php://memory stream instead of attempting to touch the file system.

He shows how using this method can make it easier to test with a simple bit of refactoring by passing in the "php://memory" stream rather than the actual file reference. The comment (from Chris Hartjes) also suggests an alternative tool for working with tests that need the file system, vfsStream.

Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future :)

The issue, described in more detail here on bugs.php.net (as of the time of this post, unfortunately unavailable) and his code to reproduce the issue is here. Due to a bug in the code that should strip down the upload to just the filename, certain kinds of file paths can make it through. The real problem comes in when an application blindly uses this filename to write to, possibly overwriting important files. You can see a screenshot of it in action here.

Hehe, some might say, that those 10 lines of C code are not even worth calling it a patch. Especially, since it was mostly copy and paste work and since Christian Schneider also adviced me for some improvement. Anyway, Marcus just commited my enhancement to pathinfo(), which adds a new field "filename" to the returned array of path elements.

His patch adds a much needed output parameter to the pathinfo function's results - filename. He talks briefly about the process of making the change and how long it took him on the first shot (2 hours), but now his hard work has paid off. The update will be a part of PHP 5.2.