Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107450
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29622 invoked from network); 9 Oct 2019 10:29:00 -0000
Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12)
  by pb1.pair.com with SMTP; 9 Oct 2019 10:29:00 -0000
Received: from php-smtp3.php.net (localhost [127.0.0.1])
	by php-smtp3.php.net (Postfix) with ESMTP id 8A3DF2D1FFA
	for <internals@lists.php.net>; Wed,  9 Oct 2019 01:11:36 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN:  
X-Spam-Virus: No
Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp3.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  9 Oct 2019 01:11:35 -0700 (PDT)
Received: by mail-lj1-x242.google.com with SMTP id l21so1530241lje.4
        for <internals@lists.php.net>; Wed, 09 Oct 2019 01:11:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ZjsPNffa8McwnkgvMp9UxWAAnCW+5ASZQuX9yoVzxZ8=;
        b=AGP5gc/fe43uY8+f7YR2PmENpOIuekVyzifT6S+R4Uz3cGrVQRGZ5mQyxXgXpQjxvF
         2+YsbD180v2A8XjvnZRUYuRZoRuflj2Xby3OTYtpVD4rsQuGTHeHv6X/qLmGwN/d+ieU
         0G12MVSoQkIND4sAaIA/RCNPBcEBITRRXl7yt4YXi7jUj23B5dMBXveSInGtuBcih5Tm
         4VgykDFUeTqZJhBdWikcFlLtHFGzdCLp5jkhK/kSviur9EgwpXl5sT4ZEaLdjS7Jbl+p
         ReCs4oW+J/+rCPm7Aw42zEaB9PWLFHiRprEfkmmjULEp+fXzzja4NHrm4Pg2xfv4s5lm
         AQCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ZjsPNffa8McwnkgvMp9UxWAAnCW+5ASZQuX9yoVzxZ8=;
        b=fZ62xBzxSejMTnZs6qzsB++J9hHcmzAqF5VXmzRa8F2+9kiT+9HuPqKkYdYC8TtuJr
         vlIscgLv4CQ5xaSi9V4SXLIxmNb9eMj7EsPUilKleENUZv7QLUyJEIlMibOvb4jfXPSy
         ZZxjQi7wbXvoEsVmk4Au97bbeAFw61mwvqQLJNjGqNBdLOcQGAmw2Z/CdxCK2aTXpPes
         YgGNM9NGNU2hntx4xcpUKkqvekAf8ktWqIwUoQYBVazFyuHoMNTJPByzjj4kASqRrRQd
         FSo5+g8DhgJDC8QD/HXUoeVFIj6M6eY2OEM4Ghm657gpDvSriZUiRLeM49uaEnGCQsae
         1mmQ==
X-Gm-Message-State: APjAAAUYh5ix0+jjZ3aEH7L9hgp8lGk0R2359AwqNZp4i5FwpESujpCf
	nnCybHdaVmFRZ0+KzzhBeprq5D1OI+qQxdw/SVA=
X-Google-Smtp-Source: APXvYqxNbPvPm1V4L2nd5hdQ0huWo5R5Zwtp1IV8BqAplIDBGZHoxA9lQ3x1Sohb5SFMafrBF+KqYd2Vb4OgDjKMGMQ=
X-Received: by 2002:a05:651c:292:: with SMTP id b18mr1285619ljo.167.1570608694106;
 Wed, 09 Oct 2019 01:11:34 -0700 (PDT)
MIME-Version: 1.0
References: <5d976928.1c69fb81.db3a8.78daSMTPIN_ADDED_MISSING@mx.google.com>
In-Reply-To: <5d976928.1c69fb81.db3a8.78daSMTPIN_ADDED_MISSING@mx.google.com>
Date: Wed, 9 Oct 2019 10:11:17 +0200
Message-ID: <CAF+90c-a26cJMFYmwGk0kuSPXPZzaN2HCH+x9eGaeb8e8MC8ZQ@mail.gmail.com>
To: Mark Randall <marandall@php.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000004b1f7f059475d538"
X-Envelope-From: <nikita.ppv@gmail.com>
Subject: Re: [PHP-DEV] [RFC] Deprecate Backtick Operator (V2)
From: nikita.ppv@gmail.com (Nikita Popov)

--0000000000004b1f7f059475d538
Content-Type: text/plain; charset="UTF-8"

On Fri, Oct 4, 2019 at 5:45 PM Mark Randall <marandall@php.net> wrote:

> Hi Internals,
>
> I put forward the following RFC "Deprecate Backtick Operator (V2)" for
> discussion.
>
> https://wiki.php.net/rfc/deprecate-backtickTrying to drag every single
> discussion to the meta level is exactly what is causing these unnecessary,
> time wasting discussions. This is a small proposal with a limited number of
> arguments for and against, and it's unfortunate that your participation in
> the discussion has once again -operator-v2
> <https://wiki.php.net/rfc/deprecate-backtick-operator-v2>
>
> I believe it is at least worth a discussion as to the pros and cons of
> deprecating this functionality, especially in light of the existence of
> better described and more well-known functions exhibiting identical
> behaviour.
>
> This RFC only covers the issuing a deprecation notice, and its complete
> removal would be contained within a separate RFC.
>

My 2c on this proposal: I think the primary motivation for me here would be
the security aspect...

On one hand, the existence of the backtick operator in PHP borders on
criminal negligence, because it exposes the **single most dangerous**
operation in the entire language in a way that looks innocuous, is easy to
confuse with a string literal and that the majority of PHP programmers are
not aware of. This looks like a great way to slip a nice RCE vulnerability
past code review ;)

On the other hand, I have seen no evidence of backticks actually causing
security issues in practice. I guess it doesn't because it's not a feature
you'll end up using accidentally, and it does not seem like attempts at
inserting backdoors into open-source projects by 3rd party contributors are
common. Is anyone aware of specific security incidents that can be
attributed to the backtick operator?

Meta: Wow, do we really need to drag every single discussion that contains
the word "deprecation" up to the meta level? This is a really simple
proposal, with a very limited set of arguments for and against. I hope we
can consider the proposal on its merits (or non-merits) rather than turning
it into some kind of proxy war. Yes, "it breaks backwards compatibility for
questionable benefit" is an argument against this proposal, it is even a
*very good* argument against it, but it's also no mandate to shut down the
discussion entirely.

Nikita

--0000000000004b1f7f059475d538--