Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105448
Return-Path: <chasepeeler@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74141 invoked from network); 25 Apr 2019 19:07:54 -0000
Received: from unknown (HELO mail-lf1-f53.google.com) (209.85.167.53)
  by pb1.pair.com with SMTP; 25 Apr 2019 19:07:54 -0000
Received: by mail-lf1-f53.google.com with SMTP id v1so189926lfg.5
        for <internals@lists.php.net>; Thu, 25 Apr 2019 09:08:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=PGkwONyxhlhZJe6tacrIeDfGKKyGV8lg33jGfbrGd4Y=;
        b=BITp1TtaKsFFR/bX2EAUV4FmdlOXWjol14fykTc3EFeDeNrmjwpzRbcP/aeQXWrHeK
         /OHx5GYPrqg6RK78PyD6TthZNQte1nsD/8CnjTNis+0XjPDWQptIIFPJDtbeTgGJ0C53
         O6hZnYJROowGJIZNizDGSmtKNWNDFjbLavPHVb2TXgFA8l+fkfWcwZAdvRFFJV/63kTK
         r/9ILAkZ9PE6Ccd52bmjchVMEiOWLHZDSCj9EgnMAgve+T7UKlJt7+vOckrnYkfW9ku6
         vTZqKCMqeNH2BlHjMphc8u0RRx4LKb8UPRdrFjMneZb/jBuwGt8FMw3PFG/3W4fiEm8k
         uluw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=PGkwONyxhlhZJe6tacrIeDfGKKyGV8lg33jGfbrGd4Y=;
        b=Og3SpzxhMflLorq4Z1c8owcLZRHiUfH2IFlfIbJpekzCeztt0jjgGV+V22CteeTpMc
         BE6k71rj18VoDofKHi0+s93ll21w8h4P9cH6bcehM4q4fFnGvDPvjikSWhBvWrnB5RMq
         RF2ZwuNU0WGdwbArlaewdNZJJhG+fqa9UcmPIOSzsDuwjS3Pn4CNDDWscyjjXoRkUP6C
         9XuozyOk1Fr/o3rm2gK+tWSm2smbMTSa0Mz0ltpV55UkczrOgkoDdKf0OUbf3JXrY0iy
         l3HCEkWP5SKJ6TK0Nr4TNVlSh/x7HG0Jd4zW0BghJe7Tw2nbeheWsg0o9ec4fvonS3XL
         1u0g==
X-Gm-Message-State: APjAAAVABCUGDQDk6welfZljPw4Lq0CmxqHDxaQSU1vj0X69ReY+pdmV
	fAhnnI7pUJD/SyrnOI0a26tH1lIL0cMhxPV/V8I=
X-Google-Smtp-Source: APXvYqzhN+tzUCzR4863KQ3Mi8XkmmbGOU91Z8j3ZQlKNBn4vTfxC/PPT5w8f3qRM0KKfhqriM9n5ZMe0NCBhaeRwlg=
X-Received: by 2002:a19:c38d:: with SMTP id t135mr21169042lff.164.1556208529216;
 Thu, 25 Apr 2019 09:08:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c-dXndgoPr6GfYsY3gudD3wEhL7YVx=pR=5SUjo2_7_WA@mail.gmail.com>
In-Reply-To: <CAF+90c-dXndgoPr6GfYsY3gudD3wEhL7YVx=pR=5SUjo2_7_WA@mail.gmail.com>
Date: Thu, 25 Apr 2019 12:08:37 -0400
Message-ID: <CAPKYkKzvXap37fUN-_0vPuF7MB72DgE9w+8fkdaZ+xpg7PDT7g@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000094988d05875d08e6"
Subject: Re: [PHP-DEV] Alternative approach to short tags deprecation
From: chasepeeler@gmail.com (Chase Peeler)

--00000000000094988d05875d08e6
Content-Type: text/plain; charset="UTF-8"

A lot of this will echo what other people have said. As someone that has
been very vocal on the other thread (both before and after the vote) I felt
I should comment as well. I definitely appreciate Nikita for taking the
time to propose a compromise/alternate solution.

On Thu, Apr 25, 2019 at 3:15 AM Nikita Popov <nikita.ppv@gmail.com> wrote:

> Hi internals,
>
> As already discussed in the corresponding voting thread, the deprecation of
> short tags as proposed has a high risk of causing inadvertent source code
> leakage. The RFC proposes to change the default of short_open_tag from On
> to Off in PHP 7.4. Any website using short_open_tags without explicitly
> enabling it (relying on the default) will leak source code unless proper
> precautions are taken before switching to PHP 7.4.
>
> Disregarding the question of whether short tags should be removed at all
> (let's keep that question in the other thread), I do think we need to
> reconsider the deprecation approach. In particular, I would like to
> propose:
>
> In PHP 7.4:
>  * The default value of short_open_tag remains as is and enabling
> short_open_tag does not generate a deprecation warning (otherwise PHP would
> warn in a default config).
>
If the goal is to eventually remove support for short open tags and/or
change the default value of this configuration option, I think you DO need
to generate a deprecation warning if the ini option is enabled (whether
explicitly or by default). A deprecation warning is meant to tell the user
"We'll let you keep doing this for now, but in the future, you won't be
allowed" - I guess, technically, deprecation warnings reference things that
will be removed, not changed, but since we don't have a 'pending change'
notice, I think a deprecation notice would suffice. We are deprecating the
current behavior.

I'm split on whether the notice should be provided based on just having the
option enabled (explicitly or by default) or whether encountering a <?
should also be necessary. My argument for basing it on the configuration
only would be that some people might have some code that isn't executed
very often and might never get the notice as a result - or get it so rarely
they overlook it.

>  * If short_open_tag is enabled: The first use of <? generates a
> deprecation warning. (Potentially every use could throw a deprecation, but
> generally, if <? is used, it's used a lot and this would cause a lot of
> noise in the error log.)

Given the fact that this could quickly flood logs and make them unusable, I
think a single notice per execution makes sense. If it's config file only
based, then it would only generate one to begin with.

>  * If short_open_tag is disabled: <? is considered normal text.
>
Which is the current behavior and is fine.


> In PHP 8.0:
>  * The default value of short_open_tag remains as is and enabling
> short_open_tag does not generate a deprecation warning or error.
>  * If short_open_tag is enabled: Any use of <? generates a compile error.
>  * If short_open_tag is disabled: <? is considered normal text.
>
> I'm OK with that.


> At a later point in time:
>  * The short_open_tag option is removed.
>  * <? is always considered normal text.
>
It would probably need to be PHP 9 where this happens - but I think with
proper warnings and the fail-safe you've introduced, that would be the
appropriate place to do so.


> The advantage of such an approach would be that no source code leakage
> could occur when switching to PHP 7.4 or PHP 8.0. The disadvantage is that
> we'll only be able to fully remove short tags support at a later point in
> time.
>
> While I personally wouldn't like such an accelerated timeline, I don't
think it would be the worst thing in the world to make your 8.0 changes in
7.4, and then the "later point in time" changes in 8.0. That would at least
be better than the current solution as it would prevent code leaks.


> Thoughts?
>
> Regards,
> Nikita
>

While one of the main areas I focused on in the other thread was the fact
that the additional work that would be required by these changes could
prevent people from upgrading in a timely manner, that wasn't actually my
biggest concern. That's where the discussion usually ended up due to the
fact that most responses just said "it's easy to make the updates." The
potential for code leaks actually concerned me more. I think the above
proposal addresses that well.





-- 
Chase Peeler
chasepeeler@gmail.com

--00000000000094988d05875d08e6--