fseek does not work with php://input when data is not pre-read

[bohwaz]

Description

$a = fopen('php://input', 'r');

var_dump(stream_get_meta_data($a)['seekable']);

var_dump(ftell($a));
var_dump(fseek($a, 10, SEEK_SET));
var_dump(ftell($a));

Resulted in this output:

bool(true)
int(0)
int(-1)
bool(false)

But I expected this output instead:

bool(true)
int(0)
int(0)
int(10)

If you actually read through to the end of the stream, it becomes seekable:

$a = fopen('php://input', 'r');

while (!feof($a)) {
	fread($a, 8192);
}

var_dump(stream_get_meta_data($a)['seekable']);

var_dump(ftell($a));
var_dump(fseek($a, 10, SEEK_SET));
var_dump(ftell($a));
var_dump(fseek($a, 0, SEEK_END));
var_dump(ftell($a));

Results in what is expected:

bool(true)
int(30320)
int(0)
int(10)
int(0)
int(30320)

PHP Version

PHP/8.1.9

Operating System

Debian stable

[cmb69]

Which SAPI are you using? cli?

[bohwaz]

@cmb69 I get the same results with Apache and mod_php (Apache 2.4.54) and PHP CLI server.

[cmb69]

I cannot reproduce this (neither with Apache mod_php nor with the builtin server), assuming the request body is not empty; maybe Windows is not affected.

[bohwaz]

Oh yeah I'm on debian. I don't have a Windows to test stuff.

Also what made me fall into this was the fact that fseek($a, 0, SEEK_END) will return 0 instead of -1, and then ftell would be at 0 like if the file was empty.

Here is a complete curl trace using the first code example:

% curl -v http://localhost:8080/ --upload-file ~/images/wallpaper.jpg 
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> PUT /wallpaper.jpg HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 743615
> Expect: 100-continue
> 
* Done waiting for 100-continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Mon, 29 Aug 2022 15:23:28 GMT
< Connection: close
< X-Powered-By: PHP/8.1.9
< Content-type: text/html; charset=UTF-8
< 
bool(true)
int(0)
int(-1)
bool(false)
* Closing connection 0

[bohwaz]

Also before anyone asks, this is not related to curl using 100 Continue HTTP feature:

 % curl -v http://localhost:8080/ --upload-file ~/images/wallpaper.jpg -H 'Expect:'
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> PUT /wallpaper.jpg HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 743615
> 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Mon, 29 Aug 2022 15:28:00 GMT
< Connection: close
< X-Powered-By: PHP/8.1.9
< Content-type: text/html; charset=UTF-8
< 
bool(true)
int(0)
int(-1)
bool(false)
* Closing connection 0

[cmb69]

PUT /wallpaper.jpg HTTP/1.1

Ah, you've made a PUT request; I've tried with a POST. Not sure if there's a difference, though.

[bohwaz]

Same issue with POST, yeah, it's probably coming from the stream handling. I read the code, but I'm not sure where the issue might be. I can see that there is already code to read the stream to the end to try to emulate seeking into a stream, but that might not be related.

% curl -v http://localhost:8080/a.php -d 'testtest'
*   Trying 127.0.0.1:8080...                                                            
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /a.php HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 8
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 8 out of 8 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Wed, 31 Aug 2022 00:30:18 GMT
< Connection: close
< X-Powered-By: PHP/8.1.9
< Content-type: text/html; charset=UTF-8
< 
bool(true)
int(0)
int(-1)
bool(false)
* Closing connection 0