Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104305
Return-Path: <sjon@hortensius.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39859 invoked from network); 8 Feb 2019 14:15:51 -0000
Received: from unknown (HELO mail-it1-f171.google.com) (209.85.166.171)
  by pb1.pair.com with SMTP; 8 Feb 2019 14:15:51 -0000
Received: by mail-it1-f171.google.com with SMTP id q78so8310214itc.0
        for <internals@lists.php.net>; Fri, 08 Feb 2019 02:57:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=hortensius.net; s=ga;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=TIOjsbMTvW0W20NmnoVRTwER34iZze13i7U+2Mi4Bsk=;
        b=CbduQfMyIig1TlYgPLkc+JvriRti7D9L0ueJGdTavWvjaSpJa4ktBvmANcxIJxOjPK
         AZGnmHR85WZdjTrCYPYPmAwMDkm9TM0dmkaMiwfvvR0Lu6k+vTF16lXAdMHeA5yJnDsg
         AJtonh/4oF0piYhgnFlPXiv8pilDA92TUJI3E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=TIOjsbMTvW0W20NmnoVRTwER34iZze13i7U+2Mi4Bsk=;
        b=XmK8n9wvOmRIpshKmbvToMr70zSRgEr8nBHRzjsaCyjaKT9lvyzlZG7XZMBhyDwPHD
         1uO/WP15FKzzEdhnWp1g31r09EuTPMVGKYq3Iaa8L6Yt57Tz1vz9qLZFUIWCV6kEYjX/
         Xv2uDpGJc6DwGNVvv6Eh3EzZ31OyJHJBIEKRf+ZyJnjWzOfQ1oObq2XLjBuUmnMRfe8w
         vdIpKpwUwsdnw/sRigndx7a6R7l3aZ311mliJMmjqQCwcp805eDKJeudPdra8MUfjGx5
         j+k+EVEW8Rse5kEel9dhdh3ywccmabow43ssfJmWY3YUnvd0vta6raMXiYu5DNrfgOgo
         UdSA==
X-Gm-Message-State: AHQUAuZPBD3u1BWhbcPNfC+/2HTvjl5GyjMB2WzoiKyVtIBSukoUdp+u
	mkg/43uCrzLSqoIJ1neRn/0ch8Sa1CLF+hublxR5x3DV
X-Google-Smtp-Source: AHgI3IY6YJ0eaw2tXYoTninzVjj4LHMwXXrQsXmv+RIBCJ5FWgBgirPxQHTBsSFT/Xjx2N9dLnICp8Bs043YE9XwR58=
X-Received: by 2002:a5d:959a:: with SMTP id a26mr11898713ioo.278.1549623462735;
 Fri, 08 Feb 2019 02:57:42 -0800 (PST)
MIME-Version: 1.0
References: <CAK_tfuYzoo7kVtZzis=eJqR4PRpVFeXC01YAGMqQV+2jjwLJ2A@mail.gmail.com>
In-Reply-To: <CAK_tfuYzoo7kVtZzis=eJqR4PRpVFeXC01YAGMqQV+2jjwLJ2A@mail.gmail.com>
Date: Fri, 8 Feb 2019 11:57:31 +0100
Message-ID: <CAK_tfubomBaiPUFKgt7SCWYVp+aLT=XjcL6vinmsYZ0TvCXF7A@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000084ef105815fd489"
Subject: pcre: shouldn't pass BAD_ESCAPE_IS_LITERAL by default
From: sjon@hortensius.net (Sjon Hortensius)

--000000000000084ef105815fd489
Content-Type: text/plain; charset="UTF-8"

Hi internals,

PHP enables bad_escape_is_literal by default when using pcre methods - this
results in invalid escape-patterns (such as \i) being interpreted as a
literal `i`. This option is documented in pcre as "a dangerous option. Use
with care" - and the pcre author raised concern about PHP enabling this by
default (see https://bugs.exim.org/show_bug.cgi?id=2362 ).

I agree and I'd like to propose to disable this in the next major version.
The existing modifier to disable this (X - PCRE_EXTRA) can be removed as
well. Would this require an RFC ?

Cheers,
Sjon

--000000000000084ef105815fd489--