Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:104523 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 64707 invoked from network); 26 Feb 2019 17:03:54 -0000 Received: from unknown (HELO mail-wr1-f45.google.com) (209.85.221.45) by pb1.pair.com with SMTP; 26 Feb 2019 17:03:54 -0000 Received: by mail-wr1-f45.google.com with SMTP id r5so14016848wrg.9 for ; Tue, 26 Feb 2019 05:50:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:to:cc:from:message-id; bh=wME9ll9f5AMlJzGT1VFzgFOBlxs2VwGQWOgqRl3R99c=; b=sXbFv38pLQ+hOFi1B/ZRDzSsJLChduTW2HvijTtaMmENthKC/oLIwCKvuYKUZYe+Pg v9Qqu1akYw0LCFzd94GuNpJl7MgKo5y9P8lnDaGBUtRr9pE4THGmsoMUD787rigaFdNf 0v3GYEDpvTAlqc1i3NzjjqIpj8pgHYeALO/dtFLv/LO0djYPP8+a8dILlekX3iCY27vg EntCv8pv9uf+LVgpKu8pugRnR/1VezwhWUPJLCI+SLdgZ5cE3/Bplc9l744RAG29X1pc bB4X86jXobKgb5mYNEONi0EDfdNXUuaElnV51OPw7vwrI76ISM7LvDnW1/X+Wqs5HCYo okoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:user-agent:in-reply-to:references :mime-version:content-transfer-encoding:subject:to:cc:from :message-id; bh=wME9ll9f5AMlJzGT1VFzgFOBlxs2VwGQWOgqRl3R99c=; b=AEeS/Rppax7HpOE5LYj8ZkWBa0Aa1kfdKr4M9H6wzInZfgvb5tO3EGOAgsi0teCSiU 7zkD6IovNaT31i95sXFCfhc63jso799sxWggQg+dDo7au3eNaK6f/6QURMEKT/uYu8JP Mh5t0dVRUqkwCBj+cVAouQAVP/1w+ESaszEnw9FLWFzi5hE7g85D7FfAb9DnLnAkW6cz DVn2xZu0T2ZtL2oHkaIgdchLTjPBYhEqtlpxMP2VLHIlCJONzibXn1Ufq/ZP2BgK9fjn 1ZUXH5CCJndNrox++tvKG1y/sqUk3Q2tsHVGG0pi0TU3xNzkgqfWqWBUNATorrqKIhBL 6JfA== X-Gm-Message-State: AHQUAuaIe8vmuiT6SJRFlFBy9X/bli1q19ot+8ZiCiCZxfGdy5aU4WBd RiC/cxFep4kmkRMXxWRrWks= X-Google-Smtp-Source: AHgI3IaoHepsar/A7NF85VVw86H7DyGoiHvLcDCTJO3wX4RTmxur6lAa7Uii8nCh8LuNnW8NYaamVA== X-Received: by 2002:adf:edca:: with SMTP id v10mr15894758wro.313.1551189017235; Tue, 26 Feb 2019 05:50:17 -0800 (PST) Received: from [10.58.73.188] (188.29.165.227.threembb.co.uk. [188.29.165.227]) by smtp.gmail.com with ESMTPSA id n130sm3312515wma.48.2019.02.26.05.50.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Feb 2019 05:50:16 -0800 (PST) Date: Tue, 26 Feb 2019 13:50:12 +0000 User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: Nikita Popov CC: PHP internals Message-ID: Subject: Re: [PHP-DEV] [RFC] Saner string to number comparisons From: rowan.collins@gmail.com (Rowan Collins) On 26 February 2019 13:26:24 GMT+00:00, Nikita Popov wrote: >I'm mentioning this, because it is a precedent for tweaking the string >to >string numeric comparison rules to prevent unexpected and possibly >security >critical equalities=2E I think we could add similar special handling for >the >"0eNNNN" =3D=3D "0eMMMM" case, as this is another "catastrophic" case whe= n >it >comes to comparisons of hashes that happen to start with 0e, for >example=2E That makes sense=2E Personally, I find the treatment of strings in this e-= notation problematic in all contexts - it makes is_numeric() much less usef= ul for validation, for instance - but realise we have to balance compatibil= ity here=2E >It might be better to discuss such a change separately from this >proposal >though (it's much more minor, and something that can also conceivable >go >into a minor version, given that the previous change was applied in a >patch >release)=2E I think keeping it to a separate RFC is fine, but it would be nice to targ= et the same release=2E "We've made =3D=3D safer" is something that we can s= hout about, even if it's composed of a bunch of small tweaks=2E It also giv= es one upgrade where people need to look for subtle breaks, rather than two= =2E Regards, --=20 Rowan Collins [IMSoP]