Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106451
Return-Path: <zeev@php.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 12845 invoked from network); 8 Aug 2019 22:08:29 -0000
Received: from unknown (HELO tbjjbihbhebb.turbo-smtp.net) (199.187.174.11)
  by pb1.pair.com with SMTP; 8 Aug 2019 22:08:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=php.net;
	s=turbo-smtp; x=1565897742; h=DomainKey-Signature:Received:
	Received:MIME-Version:References:In-Reply-To:From:Date:
	Message-ID:Subject:To:Cc:Content-Type; bh=6+VCP4o9qmI2gxT7QcEUU7
	z2/louv6n1zC+NpsFxsuw=; b=AvJoqF1DjrKwKbmvGlgFKKza7F2Mpz5xw8/QHB
	JFupmq4smRqS8fH0uUTAmMDV5YJTn0O6B/i1xH4AVYVRkGyObocS3UKxzMyAqnXl
	dN90BDAz7wF/dEJjXnjdca2EqoASz6yNObvgHCVG6z/WXzLAIUm0NeTMRhHuXj7f
	36758=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=turbo-smtp; d=php.net;
	h=Received:Received:X-TurboSMTP-Tracking:X-Gm-Message-State:X-Google-Smtp-Source:X-Received:MIME-Version:References:In-Reply-To:From:Date:X-Gmail-Original-Message-Id:Message-ID:Subject:To:Cc:Content-Type;
	b=PuD8OR+EoBwd4ZbgwlminF+qdl1vdoE1jTcNrzWcpL4tpLmZ+VjzsEXe50alpQ
	atfCO7lz5ea1iYttbUjZYJW578d5vUH8Ak7GQpAbigLWwVQNsHltYNUlvriHeqXC
	l2JeCjF+o/jk065Dr0yQorxbEtNIwwkI2fbvJE5PwO4Z8=;
Received: (qmail 13762 invoked from network); 8 Aug 2019 19:35:42 -0000
Received: 
X-TurboSMTP-Tracking: 5212191728
X-Gm-Message-State: APjAAAXtb6hhpqTmBNzqSCvQvonlSxbxlRLHBirH97M8JCOYpFRtBN86 sDekdmJP+Y2Rx/iEEtVn731Z4yI1ssMwWWUkEnM=
X-Google-Smtp-Source: APXvYqyOjMHXHWWi4j+lXeC2RUmsy65S6BmgUsBK2xrzOuZFLTOaZ5qcSZ8pdaIA0IzjInhdPoIwqYc7EanqXlx2zb0=
X-Received: by 2002:a05:620a:1f4:: with SMTP id x20mr15272434qkn.415.1565292941559; Thu, 08 Aug 2019 12:35:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAFPFaML19B_RehrUQLEy_oFae-H5r3+BpUGg=GF1js83cJpJqQ@mail.gmail.com> <CAEYWF=4cx_i=3rCfFKeBT0Jq0e4=P0PeY2wd6YEwog_VdA1+Dg@mail.gmail.com>
In-Reply-To: <CAEYWF=4cx_i=3rCfFKeBT0Jq0e4=P0PeY2wd6YEwog_VdA1+Dg@mail.gmail.com>
Date: Thu, 8 Aug 2019 22:35:30 +0300
X-Gmail-Original-Message-Id: <CAJHtznzie34C92y2nTRXxhD99FEW-5hmruVatsrLDHcAKvTccQ@mail.gmail.com>
Message-ID: <CAJHtznzie34C92y2nTRXxhD99FEW-5hmruVatsrLDHcAKvTccQ@mail.gmail.com>
To: bishop@php.net
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000c04cdd058fa02952"
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecate PHP's short open tags, again
From: zeev@php.net (Zeev Suraski)

--000000000000c04cdd058fa02952
Content-Type: text/plain; charset="UTF-8"

On Thu, Aug 8, 2019 at 9:10 PM Bishop Bettini <bishop@php.net> wrote:

> On Tue, Aug 6, 2019 at 7:34 AM G. P. B. <george.banyard@gmail.com> wrote:
>
> > The voting for the "Deprecate short open tags, again" [1] RFC has begun.
> > It is expected to last two (2) weeks until 2019-08-20.
> >
> > A counter argument to this RFC is available at
> > https://wiki.php.net/rfc/counterargument/deprecate_php_short_tags
> >
> > Best regards
> >
> > George P. Banyard
> >
> > [1] https://wiki.php.net/rfc/deprecate_php_short_tags_v2
>
> <? is a security risk today, just as much as it was then. Remember in 2007
> when Facebook's source code leaked precisely because of this [1]?
>

Where's the evidence that it was precisely or even remotely because of
this?  Literally all of the PHP code leaks I've come across over the years
had to do with a misconfigured Web server - e.g., load Apache without
properly setting up handling for .php files, or having things like .inc
files not blocked from HTTP access.
As we deprecate short_tags, should we consider deprecating all SAPIs, and
roll our own high-performance Web server into PHP?  That's the only way to
truly do away with the main vector for PHP source code leakage.


>
> Much has been said about this being a "portability" issue. I think that's
> overly specific. The core issue is "fallibility". You can globally
> configure the language to stop recognizing itself as a language. That's
> weird and unexpected. So much so, that no one gives due thought to this,
> and we end up with security disasters.
>

Except these are so uncommon and rare (I'm not aware of a single one, which
doesn't mean there weren't any - but that they're not very common at all),
that perhaps, just perhaps, it's a bit of an exaggeration to present them
as a clear and present danger.

PHP.net has opined, for years, that <? is bad[2].


This is the opinion of the person who wrote this document.  I'm sure many
agree with him - but there's no person named 'PHP.net' that can opine on
things.
That said - if you think people read the manual and are aware that this is
discouraged and act accordingly - it's all the more reason to not care
about this issue.  If they don't, well, then it doesn't mean much that it's
written over there.  I personally don't think too many people read the
manual on PHP's opening tags (I have absolutely no data to back this gut
feeling up - it's just my gut feel).


> It's time to act. So much
> else breaks at the 8.0 boundary, let's do it all at once.


The "we're breaking things so badly anyway, let's break'm some more"
argument has been refuted many times on this list.  First, I don't think
we're breaking anything really badly in PHP 8.  And secondly, this remains
as bad a reason as it's ever been to break stuff.

Breakage is not binary - it accumulates.  The more you have of it - the
more difficult it is to migrate, and the slower is the migration.


> If anyone needs
> to justify the effort, let them say "<? is a security hole".
>

It's a security hole in the exact same level that httpd.conf is a security
hole.  Yes, misconfiguring your Web server can have severe consequences.
Thankfully, it's not nearly that big of a Thing for us to be concerned
about.

Zeev

--000000000000c04cdd058fa02952--