SafeFile throws wrong Exception on nul byte injection

[renaatdemuynck]

SafeFileTest::testURILocal fails because SafeFile throws EnterpriseSecurityException instead of ValidationException. This is because in more recent versions of PHP, when you inject a nul byte in the path, the class SplFileObject throws RuntimeException with message _'SplFileObject::_construct() expects parameter 1 to be a valid path, string given'. In older versions of PHP a ValidationException would have been thrown. This should be fixed by running the sanity checks before the SplFileObject::__constructor is called.

Tested on:

• Windows 7, PHP 5.2.5: test passes
• Windows 7, PHP 5.4.16: test fails
• Ubuntu 14.04 PHP 5.5.9: test fails

[renaatdemuynck]

UPDATE Apparently PHP fixed most of the security issues with SplFileObject. Further testing reveils the following:

• On Linux all tests in SafeFileTest pass if the tests are run against SplFileObject instead of SafeFile and all tests expect RuntimeException instead of EnterpriseSecurityException or ValidationException.
• On Windows the only test that fails is SafeFileTest::testSafeFileWithDevNullAndPercentEncoding

Solution: Do we still really need SafeFile? Should it be marked deprecated? Anyway, if we want SafeFile to throw ValidationExceptions, the sanity checks should be performed before the SplFileObject::__constructor is called.