Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100530
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 45965 invoked from network); 11 Sep 2017 22:17:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Sep 2017 22:17:21 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:45966] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C5/BC-10715-D6B07B95 for <internals@lists.php.net>; Mon, 11 Sep 2017 18:17:19 -0400
Received: (qmail 20672 invoked by uid 89); 11 Sep 2017 22:17:13 -0000
Received: from unknown (HELO mail-io0-f170.google.com) (yohgaki@ohgaki.net@209.85.223.170)
  by 0 with ESMTPA; 11 Sep 2017 22:17:13 -0000
Received: by mail-io0-f170.google.com with SMTP id n69so34738450ioi.5
        for <internals@lists.php.net>; Mon, 11 Sep 2017 15:17:13 -0700 (PDT)
X-Gm-Message-State: AHPjjUgkdMVm/ZJX41vjBjcGJqPEnZW3w6MMT3u3W15RQtiyiuAv7x2S
	xWS49rkkWt2hy2p1u6/BGRcPMdDOpg==
X-Google-Smtp-Source: ADKCNb4QECEUeB5d5+zqilWFh9pXiC+nV/9e4HJ2mynBe1xuRQQeAUU64a1YeUaLJIvm3MzEG64rTdAlcy9v4FMpVj8=
X-Received: by 10.107.69.6 with SMTP id s6mr17424866ioa.94.1505168227951; Mon,
 11 Sep 2017 15:17:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.72.5 with HTTP; Mon, 11 Sep 2017 15:16:26 -0700 (PDT)
In-Reply-To: <04c8d1d5-7f78-9f35-b554-10939ed2fa2a@rhsoft.net>
References: <CAGa2bXafM0QgMdCuUfEnNcejHAi208=4tCqbi1APT20Z_jcvuQ@mail.gmail.com>
 <E83D7E80-5DC8-49AC-9FA6-D6C1A42ADAE7@gmail.com> <0db9cfa3-2b31-ee41-713c-889b7cc06406@lsces.co.uk>
 <E9DCBF61-8B3D-41C3-9D09-61C6CC8810F3@gmail.com> <CA+kxMuSuB7xcMYXcsVj4NDZKwBZWq3sbt2h6s9J4QxzOcfCTHg@mail.gmail.com>
 <B234C70B-2012-443B-967D-C819D65C9C5B@gmail.com> <CA+kxMuSL1kEW60S7DFJb06+r2Q3rC1ueeWU1jAP78FY65aJoDg@mail.gmail.com>
 <3C.DD.10715.4E501B95@pb1.pair.com> <CAGa2bXa4UvkL-ZsLAB2bF05L4q_oduixSzVvYzu9nddkSVttXw@mail.gmail.com>
 <93.85.10715.AB3B3B95@pb1.pair.com> <CAGa2bXYbBPwMmVegBajb4808yBasE6u9s_i99KFzqabixVy2mw@mail.gmail.com>
 <049578E9-4C9A-42D8-B206-8ABAF070E151@koalephant.com> <CAGa2bXYUV3_x+9CLR8XYW1Qn569XQQ3OoAViZZ2So-r0+XOJhw@mail.gmail.com>
 <05A8DB1C-4683-4934-A7DA-C7CD71E6CCB6@koalephant.com> <CAGa2bXa-UBSwiC-XqDievTPCQ9jHiy=TtPH=_d1qKPBYgXEMQg@mail.gmail.com>
 <3f900f87-ca88-a7e1-4c11-6263455f2039@rhsoft.net> <CAGa2bXaVb_TAvGbX4_VHA29by9OjmBjNoQYq=XOXS8b2MvZN7w@mail.gmail.com>
 <04c8d1d5-7f78-9f35-b554-10939ed2fa2a@rhsoft.net>
Date: Tue, 12 Sep 2017 07:16:26 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZ+MRP7fe-yBYCtfVKDYxLazM9eTMUXJ4U1xASy3sqOVg@mail.gmail.com>
Message-ID: <CAGa2bXZ+MRP7fe-yBYCtfVKDYxLazM9eTMUXJ4U1xASy3sqOVg@mail.gmail.com>
To: "lists@rhsoft.net" <lists@rhsoft.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="089e0826738c8df8720558f1491e"
Subject: Re: [PHP-DEV] A validator module for PHP7
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0826738c8df8720558f1491e
Content-Type: text/plain; charset="UTF-8"

Hi,

On Tue, Sep 12, 2017 at 6:54 AM, lists@rhsoft.net <lists@rhsoft.net> wrote:

>
>
> Am 11.09.2017 um 23:39 schrieb Yasuo Ohgaki:
>
>> On Tue, Sep 12, 2017 at 6:35 AM, lists@rhsoft.net     but you still fail
>> to explain why in the world you don#t try to
>>     enhance the existing filter functions instead invent a new beast
>>     leading finally to have the existin filter functions and your new
>>     stuff which share the same intention
>>
>>
>> Why don't you read previous RFC and the vote result?
>> https://wiki.php.net/rfc/add_validate_functions_to_filter
>>
>
> and why do you not take the contra arguments against how do you think
> things should be done into your considerations and believe bikeshed it with
> a different name will achieve anything?
>

If you understand the difference, there are huge different with respect to
behaviors.

Previous RFC was halfway finished "validation", it's far from "true
validation".

it's basially the same as your hash_hkdf() related stuff - you just ignore
> everybody and cntinue to ride a dead horse up to a level where even pure
> readers of the internals list just have enough and only think "stop it guy"


hash_hkdf() discussion comes to conclusion finally if you haven't noticed
it.
It is clear now that Nikita and Andrey does not understand the algorithm (
including underlying HMAC and cypto hash characteristics)  and RFC.
See the relevant thread for conclusion. (The latest one)

In short, current hash_hkdf() is not only violates  RFC 5869, but also
encourages
extremely insecure usage, has unnecessarily incompatible API with respect
to
other hash functions.

On Tue, Sep 12, 2017 at 6:56 AM, lists@rhsoft.net <lists@rhsoft.net> wrote:

> and i am suprise that you act *that* stubborn and obviously think when you
> give the bike a new name someone will buy it instead really consider the
> contras of previous proposals


"Validate" and "filter improvement"  fundamentally different proposal in
fact.
i.e. Validate does true white list validation, while filter improvement is
halfway.
Almost all apps do not implement "proper application level input
validation" yet,
even if all of security guidelines/standards recommends/requires it.

What do you mean by "stubborn"?
Would you like me to try to remove "input validations" from security
guidelines or standards?
If you seriously think so, you're the one should try.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0826738c8df8720558f1491e--