Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106465
Return-Path: <bishop.bettini@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81927 invoked from network); 9 Aug 2019 04:19:23 -0000
Received: from unknown (HELO mail-qt1-f179.google.com) (209.85.160.179)
  by pb1.pair.com with SMTP; 9 Aug 2019 04:19:23 -0000
Received: by mail-qt1-f179.google.com with SMTP id a15so94293258qtn.7
        for <internals@lists.php.net>; Thu, 08 Aug 2019 18:46:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to:cc;
        bh=uXV/f0FNgUFC76uI2pnmYfoD4Y+2ok9CRvxnFntW1U8=;
        b=VkV76L/fnvjhFlFd7CB3kfLuq9HPyZ/GTQ/t1UFXMe3dSjxNeMi6sLMPxAZUkfCbt2
         5LiNmym7XAmUOVSgKcsCjrdYV82YeHCcWPwTtOGBEignwEkKT77yVLzO/GocxavX3rSR
         clzAbRw9flyxqE4Ql90q+qr8Iy2KoO/XXw1w8y4m9Gh0/f88Bnrdfm5jLK+DI16TtFAd
         RfMFw3rMp0q3t2bqO65N4UQGsMUSBefmk8VS3GhCZ7P4PyieYDUrICfKoof0BP/rNrXq
         /vx893J0MMxDJ2eTGrkz2IY6GVRvsBGjJlivYRB1JeatR9wv/X0nkJ2w9sgc4/pbQ2Qa
         Bp/Q==
X-Gm-Message-State: APjAAAUMlPaA1QZd9MyZ402CyTgSPpbc+Z8GuKS89GuoRtq6gvZKB1+6
	KgRBCIPbfWsqbXkDW+RswkJdxcjpjgVOpQtpE8Y=
X-Google-Smtp-Source: APXvYqzmH/LZqesw8TZSbSnmn21RAB3uQynQG6y4T+1/YKvdvczXHXM5EF+ehgWFxpyKRC5rXHLJnb2eVHqkRSZCrkE=
X-Received: by 2002:a0c:94a4:: with SMTP id j33mr15970550qvj.135.1565315198555;
 Thu, 08 Aug 2019 18:46:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAFPFaML19B_RehrUQLEy_oFae-H5r3+BpUGg=GF1js83cJpJqQ@mail.gmail.com>
 <CAEYWF=4cx_i=3rCfFKeBT0Jq0e4=P0PeY2wd6YEwog_VdA1+Dg@mail.gmail.com> <CAJHtznzie34C92y2nTRXxhD99FEW-5hmruVatsrLDHcAKvTccQ@mail.gmail.com>
In-Reply-To: <CAJHtznzie34C92y2nTRXxhD99FEW-5hmruVatsrLDHcAKvTccQ@mail.gmail.com>
Reply-To: bishop@php.net
Date: Thu, 8 Aug 2019 21:46:12 -0400
Message-ID: <CAEYWF=7S2SxzxU+TzRV0Rc7FNMvyZBkAENVTNbZKqrs71Uyijw@mail.gmail.com>
To: Zeev Suraski <zeev@php.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000005f18bd058fa558d4"
Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecate PHP's short open tags, again
From: bishop@php.net (Bishop Bettini)

--0000000000005f18bd058fa558d4
Content-Type: text/plain; charset="UTF-8"

On Thu, Aug 8, 2019 at 3:35 PM Zeev Suraski <zeev@php.net> wrote:

> On Thu, Aug 8, 2019 at 9:10 PM Bishop Bettini <bishop@php.net> wrote:
>
>> On Tue, Aug 6, 2019 at 7:34 AM G. P. B. <george.banyard@gmail.com> wrote:
>>
>> > The voting for the "Deprecate short open tags, again" [1] RFC has begun.
>> > It is expected to last two (2) weeks until 2019-08-20.
>> >
>> > A counter argument to this RFC is available at
>> > https://wiki.php.net/rfc/counterargument/deprecate_php_short_tags
>> >
>
> If anyone needs to justify the effort, let them say "<? is a security
>> hole".
>>
>
> It's a security hole in the exact same level that httpd.conf is a security
> hole.  Yes, misconfiguring your Web server can have severe consequences.
> Thankfully, it's not nearly that big of a Thing for us to be concerned
> about.
>

No, not even close to the same level.

If my web server's misconfigured, (ALL) of my code's exposed. It's trivial
to write a test to prove that my web server is properly serving PHP files.

But if PHP's misconfigured, (all OR some OR none) of my code's exposed. The
only way to decide is to literally check everything. That's why I
highlighted Robert Korulczyk's case study: only a particular code path in a
particular environment had the problem.

The status quo enables deployments to fail insecurely. <? $dbpassword =
"secret"; is a trap waiting to spring. I would rather require ten thousand
people secure their environment by running a script, than risk a single
person exposing their credentials for all to steal.

I challenge everyone who's voted no to consider this balance.

--0000000000005f18bd058fa558d4--