File::prohibitWrappers() unconditionally rejects any URL scheme with more than one character. This breaks unit tests that use mikey179/vfsstream — a widely-used PHP library for mocking the filesystem in tests.
vfsStream registers a vfs:// stream wrapper and provides vfs://root/... paths that are fully compatible with standard PHP file functions (file_put_contents, fopen, file_get_contents, is_file, etc.). PhpSpreadsheet itself internally uses those functions, so a vfs:// path would work but prohibitWrappers() aborts before even trying.
Environment
- phpoffice/phpspreadsheet: 5.7.0
- mikey179/vfsstream: v1.6.12
- PHP: 8.4.8
Expected behavior
Tests that use vfsStream to avoid real disk I/O should work. The library should either:
- Provide a whitelist API so callers can opt-in to specific safe stream wrappers:
File::allowStreamWrappers(['vfs']); // e.g. for test environments
- Or check whether the scheme is a registered PHP stream wrapper (via
stream_get_wrappers()) and allow those, while still blocking dangerous protocols like phar://, http://, expect://
The comment in the source already hints at this:
A whitelist of protocols may be added if needed in future.
File::prohibitWrappers() unconditionally rejects any URL scheme with more than one character. This breaks unit tests that use mikey179/vfsstream — a widely-used PHP library for mocking the filesystem in tests.
vfsStream registers a
vfs://stream wrapper and providesvfs://root/...paths that are fully compatible with standard PHP file functions (file_put_contents,fopen,file_get_contents,is_file, etc.). PhpSpreadsheet itself internally uses those functions, so avfs://path would work butprohibitWrappers()aborts before even trying.Environment
Expected behavior
Tests that use vfsStream to avoid real disk I/O should work. The library should either:
File::allowStreamWrappers(['vfs']); // e.g. for test environmentsstream_get_wrappers()) and allow those, while still blocking dangerous protocols likephar://,http://,expect://The comment in the source already hints at this: