Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105446 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 7400 invoked from network); 25 Apr 2019 14:21:13 -0000 Received: from unknown (HELO mail-ua1-f45.google.com) (209.85.222.45) by pb1.pair.com with SMTP; 25 Apr 2019 14:21:13 -0000 Received: by mail-ua1-f45.google.com with SMTP id n16so7100198uae.10 for ; Thu, 25 Apr 2019 04:22:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c5VcUPjRFKEfbrvr8GOKQOsKJ5OzCOMFKk5XZofU1Jk=; b=L87zOig2s14D2oohAOUUPoQ5coQEUFpr81/w4aVr/Q7Q8fUIbJVuUa0OhAn/+FsoVP 2eG0bOh2aYO4URveod2wDYENKbhkgOr4SD2aNlUBkbqSTUh/45/WwkBZLk3Gd4S5egf3 qVkZyBF+Tn0XZlkcmOqmGJpXVFvvy7NN3HfFhwJJQBkLpfF4L4r+zEHlRmUeZ31dDOCr VxKnhAoRpIj1LuM3lPfqK/ToN7iBRw+I2qdSZRWW27X41koQ5lymfuFNrM+cmoQM56/C XPeSw0MpmotHbsQhYSDDDh3b5p1RONOywZ/Uo+b9mjYhSUelrkR+fc6eh4vBd3xwrelF Q4bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c5VcUPjRFKEfbrvr8GOKQOsKJ5OzCOMFKk5XZofU1Jk=; b=UK0SZ6unAsa1SjjQahD3VMpvfPIVaJBTU+tIPr6ItgcVq08Y/LbZPM7W2V9ooLKTCF ZsOIt4EeZtQmg7zUu4JLJAUBeBkcDdngFyAw1QXMldFw+WtaZBPvD/Ns1cvidcPU9lFo Dg5D2NMF+zO8Unr+RcOQKkIHWa3Er5a3uUUhhtXcwoZw58D9PwuAfN3ljuzwlzSJjCZh 8/mOW+XywEpKly1N5HONzG08+VTrMloArIAGlitAZvq3/Hgsr6DFq1mKMUCHGV9eYHdM Frr+wcWPyhXlis88rw1vwX3xWzYvQZLYBafAK/Gwn0w1HO9Acje1loueOmAbo6Xa67aG rtzw== X-Gm-Message-State: APjAAAU24IKaQilmqNUooAnAcen4Ve13ZMAptN5mR6P1tHxuCj7EVeJk CNHurGedyuowamAx6+lENYNSDYgc9bOaroEUEO1XK/fZ X-Google-Smtp-Source: APXvYqyimagukEWqV1cDvxatmG9rJ64MVnvGcUgJUgeB9oU7RyMetMURuL1ZtuLHgzSdIqCIAmQz/N6wSxhB2X6VzFc= X-Received: by 2002:ab0:2247:: with SMTP id z7mr4733392uan.18.1556191325360; Thu, 25 Apr 2019 04:22:05 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 25 Apr 2019 13:21:09 +0200 Message-ID: To: PHP internals Cc: bishop@php.net, Nikita Popov , markyr@gmail.com Content-Type: multipart/alternative; boundary="0000000000002695c605875907f7" Subject: Re: [PHP-DEV] Alternative approach to short tags deprecation From: george.banyard@gmail.com ("G. P. B.") --0000000000002695c605875907f7 Content-Type: text/plain; charset="UTF-8" On Thu, 25 Apr 2019 at 09:15, Nikita Popov wrote: > Hi internals, > > As already discussed in the corresponding voting thread, the deprecation of > short tags as proposed has a high risk of causing inadvertent source code > leakage. The RFC proposes to change the default of short_open_tag from On > to Off in PHP 7.4. Any website using short_open_tags without explicitly > enabling it (relying on the default) will leak source code unless proper > precautions are taken before switching to PHP 7.4. > > Disregarding the question of whether short tags should be removed at all > (let's keep that question in the other thread), I do think we need to > reconsider the deprecation approach. In particular, I would like to > propose: > First of all thanks for tackling this as it seems a lot of issues are arrising *now* instead of during the discussion/voting phase. In PHP 7.4: > * The default value of short_open_tag remains as is and enabling > short_open_tag does not generate a deprecation warning (otherwise PHP would > warn in a default config). > * If short_open_tag is enabled: The first use of deprecation warning. (Potentially every use could throw a deprecation, but > generally, if noise in the error log.) > * If short_open_tag is disabled: As I said on the PR implementation I am totally okay to leave the current default as it is. In PHP 8.0: > * The default value of short_open_tag remains as is and enabling > short_open_tag does not generate a deprecation warning or error. > * If short_open_tag is enabled: Any use of * If short_open_tag is disabled: In my mind I do think that making the default change in PHP 8 would be better but what do I know. > At a later point in time: > * The short_open_tag option is removed. > * > The advantage of such an approach would be that no source code leakage > could occur when switching to PHP 7.4 or PHP 8.0. The disadvantage is that > we'll only be able to fully remove short tags support at a later point in > time. > > Thoughts? > > Regards, > Nikita > I do not mind the timeline to be significantly altered as I said in one of my emails during the initial discussion for the RFC. On Thu, 25 Apr 2019 at 11:27, Bishop Bettini wrote: > Respecting your proposal, I feel warning those who explicitly enable > short_open_tag is good, because such usage is now officially deprecated. > But not warning those who both use they are the users in the trap. They'll keep moving along accepting the > status quo, potentially unaware that removal is planned, until "at a later point in time" their code stops > running and instead starts being output. So, not warning them is just > delaying the inevitable, is it not? > > I'd suggest therefore an amendment to your proposal, targeting 7.4: > simultaneous usage of "Use of Such code installations will be forced to either (a) update their code to > behavior. Whichever is least painful for them right now (*). > > This amendment effectively removes any usage of say at a later point in time, remove the configuration option and token > parsing of RFC, while addressing the exposure-of-code security concern in the near > term. > > bishop I really like this approach to signal intent in using the short_open_tag config As this means people opting in are fully aware of the fact that it is now deprecated. On Thu, 25 Apr 2019 at 12:38, Mark Randall wrote: > (Also: Did I miss a vote option which would have made short_open_tags > always on?) > No you didn't, I did not propose this voting choice. Best regards George P. Banyard --0000000000002695c605875907f7--