Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101313
Return-Path: <ocramius@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32647 invoked from network); 11 Dec 2017 08:18:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Dec 2017 08:18:24 -0000
Authentication-Results: pb1.pair.com header.from=ocramius@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ocramius@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.46 as permitted sender)
X-PHP-List-Original-Sender: ocramius@gmail.com
X-Host-Fingerprint: 74.125.82.46 mail-wm0-f46.google.com  
Received: from [74.125.82.46] ([74.125.82.46:34176] helo=mail-wm0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BD/69-53433-F4F3E2A5 for <internals@lists.php.net>; Mon, 11 Dec 2017 03:18:23 -0500
Received: by mail-wm0-f46.google.com with SMTP id y82so12124111wmg.1
        for <internals@lists.php.net>; Mon, 11 Dec 2017 00:18:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=ZhmIzw9CV0OtE1FUIyGA/DSwpck689oV6NopewitphM=;
        b=KaAnxcV019Jj6Jgkr6Chj4DaJAVWm86I+9Zr5enbuhVXNgDxp2LIw3yUR3gMJd7TQZ
         BXHl4Tv7jFtfYfuCNpyUkb9YSDLtOycbtZ92ChOM2TljHVrkXFW1qBqsH0Krp3fRr4YY
         AyqqJKjB1tDLUBRY7uz8YnV+fOlENusfcYME2hTlo/uSgC1oMbn/KGxpNwk1Du272v+l
         FN/KYsh+ed/30SYAEFNqW5WiIoN58EmdaX4ONvlhYs990o/vWWgv9E7j1gNAYhWBxdTi
         wnjgUGY0W6HEtI2rH9SvsPgwxjgit2UX/y8SjmhseX1SOXnwauHu8WlJXjY7JThls4AF
         rnpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=ZhmIzw9CV0OtE1FUIyGA/DSwpck689oV6NopewitphM=;
        b=Yxl7wMczc7aXJkcrV8pSpP9teqDbnEYfa1+Zbd25lppLU5tU5Qnd9Zq65ZB8C/nU/K
         fJhyOpYNPUztx8b1f5lriVo6SbR8SPJGGS+5/fY09GtDMw/lHZKoV9EBIuzkSd2LWVdb
         eAf4W405Hd0Q+YCMjQKMxnIYQQZ6D2SNy2AnVYef9Ckkhhbo7djLmXKyCZOA+PbZMxgF
         U8SVYLNBX1cEzcOHoFvfSlHCjWz2of2Ioc3l+PrEyNMPuB4MXTwall9piDYe5dLKKDIF
         v6rhXkbWhYKsFeJdeKoeN2YC+LBicHhXSyEXiWtY3wsFdRcNfX7cDBxjoSOmSTkYRkLF
         rm2g==
X-Gm-Message-State: AKGB3mLKFMB5dUwZW6yp1a3+9lf49xo6RCsocmvTuA7sWFDbLl/Qcg9a
	F3sOhcPYJzL8JS6vAthi68xANW0u1ZaXceiPWETymA==
X-Google-Smtp-Source: ACJfBotcNbGGhCl7RJNbUXEUnJcd5BaYomIRX7Lzq3o6uhBx/VtVJX2rr+choRZFqeKbVBgixwI70cS3cDXEF3TZXPM=
X-Received: by 10.28.168.133 with SMTP id r127mr519wme.83.1512980300277; Mon,
 11 Dec 2017 00:18:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.184.205 with HTTP; Mon, 11 Dec 2017 00:18:19 -0800 (PST)
Received: by 10.223.184.205 with HTTP; Mon, 11 Dec 2017 00:18:19 -0800 (PST)
In-Reply-To: <CAH0Uv3Ebvg+Jpgn9hkNw+ScatjKvKz3wRGpM7SbHVkX+KGS1nA@mail.gmail.com>
References: <CAH0Uv3ErvVo5qPotvrHby7AKrzUQix_YuDU5dbQWos8bvCASqw@mail.gmail.com>
 <CANUQDChCkt0CzYHeJoRN+d7_wWBe82-J5MJEgXWFj9qTBMz4Zg@mail.gmail.com>
 <CAH0Uv3FNGUTtUKx8SA=VJ2MKUQmdt1Rd0vqQXCZt_zk3n6tqQA@mail.gmail.com>
 <CADyq6sJ4SBPTbnwQo+5Qzna_jM8chuurqDGFK8ucNW63VdUQ_g@mail.gmail.com> <CAH0Uv3Ebvg+Jpgn9hkNw+ScatjKvKz3wRGpM7SbHVkX+KGS1nA@mail.gmail.com>
Date: Mon, 11 Dec 2017 09:18:19 +0100
Message-ID: <CADyq6sKjNYu2PN1PheFeZ=Jv4Q_1Vkcc4wH9yV4+iYoTYpPLLQ@mail.gmail.com>
To: Andreas Hennings <andreas@dqxtech.net>
Cc: Niklas Keller <me@kelunik.com>, PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a114cc6c459af7b05600c2d44"
Subject: Re: [PHP-DEV] ReflectionContext for imports and namespace
From: ocramius@gmail.com (Marco Pivetta)

--001a114cc6c459af7b05600c2d44
Content-Type: text/plain; charset="UTF-8"

On 11 Dec 2017 09:10, "Andreas Hennings" <andreas@dqxtech.net> wrote:



On 11 December 2017 at 09:05, Marco Pivetta <ocramius@gmail.com> wrote:

> On 11 December 2017 at 08:46, Marco Pivetta <ocramius@gmail.com> wrote:
> > Indeed that already exists at
> > https://github.com/Roave/BetterReflection/blob/2.0.1/docs/fe
> atures.md#analysing-types-from-docblocks
> > - relatively new lib, so it probably didn't get noticed upfront in here.
>
>
> Yes, parser / userland solutions exist for this purpose.
> (I have seen BetterReflection)
>
> I just thought since this information is already available, a library
> that uses reflection API should not need a userland parser to get it.
>
>
> Unless the codebase being analyzed is trusted and not legacy
> (wordpress-style) any tool based on the current reflection API is basically
> a potential security issue or a set of potentially harmful side-effects.
> The reason for me and James building BetterReflection was essentially that,
> since the current API is flawed and not really fixable without BC breaks
> (removing the side-effect), so I strongly encourage any code analysis tool
> to just use the userland adapters we wrote, and only switch to core
> reflection when performance is more critical than security.
>

These side effects would be that the class loader loads files which can
break things?


Yes. Reflecting over a codebase which contains even just polyfills
(duplicate classes) can already lead to unexpected crashes. Reflecting over
non-PSR-2 code can even lead to worse things such as starting a DB
connection and performing unwanted operations.

--001a114cc6c459af7b05600c2d44--