Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107863 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 59735 invoked from network); 26 Nov 2019 18:21:29 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 26 Nov 2019 18:21:29 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id 2626B2CEF03 for ; Tue, 26 Nov 2019 08:16:11 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Tue, 26 Nov 2019 08:16:10 -0800 (PST) Received: by mail-ua1-x933.google.com with SMTP id s14so5864618uad.2 for ; Tue, 26 Nov 2019 08:16:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SJSOK2b27K0Foq0a6U75FMngTTgK1zLhb/E0IWvU9nc=; b=qKFqh38Tv60Sd1B4mkow5cshMJYi4AlQFz9n/O0Xry2zz82OVueihf2zHiTKeEglG7 SSW8I/Kh7YXfNnyjqbfC4m6DlEhaeW0AcIUNpD+R32l3qHfoB7Oj9tQj90KOvJ4enqxU 0QSX9TfW02VydzNHTrAn24J8EIwsRT1ibxBV1ypmYjwYrMOwklcpvmYX848Jgmd1unPn IzmHJusqt9xozPmb0v4CCys8gs4+yxlfQJqC5NBwaiayBgxFDWLL8NdqxuWLqhHI4y5B uM9IFgQhTeLGdse3qVs+6VHvr1TNSVV1qTQ66xnCSeDkLkwNOcnZWk3gV1Co7kiUIO2b LD0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=SJSOK2b27K0Foq0a6U75FMngTTgK1zLhb/E0IWvU9nc=; b=JlOSFQZXqClZsvB+gom59pxHICX8y4sjvXqHbz/OHeTvzPF+cJpU+BMCBQENj4Tnpj htrw1DL9bsmClDB+tEgjsFk7xV/Y1hp5hOqcoK60MbhsjVJnkZnEQB1LVJ68MXvnT6j5 eVZdxvxu24061fGlKw+Im0084z9KV90CvAnCODsTWmDjvVJjHayQT8r4d643zPLTy1/g U3Jw7L7+c+9o5n8K8EyjE88GnEwV8tMBQyIob9IJ84T9V+goPQ+/vjN182yZpKX/Gwx/ 3EL9bqu3K3JnRLd8BnAykXrGzpeIooS/tkP9DAB6Dbxx6wqkbjP4+T/1TTGBIkXzS0EC FpEA== X-Gm-Message-State: APjAAAXVfsdo7k7X+PvS2x60qsq0mITOWTlIfjfo2DQfysYpuXflUToE clOdZuLD+JlVLfQQQljPLrSObaHlc8VPfPJ+LEEOpHRzsOw= X-Google-Smtp-Source: APXvYqwY31IYz6m+G0hVLv+ZEdnQUODHunoVXghAIxH0fbcecTEOpdFwpxS2Cgzl1l40WAEaSEaLBGn8GSFTczKDTPg= X-Received: by 2002:ab0:3399:: with SMTP id y25mr22122369uap.100.1574784969580; Tue, 26 Nov 2019 08:16:09 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 26 Nov 2019 10:15:58 -0600 Message-ID: To: internals@lists.php.net Content-Type: multipart/alternative; boundary="000000000000b5ab0c05984232a1" X-Envelope-From: Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8 From: iansltx@gmail.com (Ian Littman) --000000000000b5ab0c05984232a1 Content-Type: text/plain; charset="UTF-8" Looks like PHPUnit only uses eval() for mock objects, and Twig only uses it as a last line of defense for building templates. Still breakages, but not of the entire packages (at least those packages) from what I can see. That said, I agree that eval() should stay enabled by default, as too much breaks if we did the opposite. That way, folks can opt into a hardened environment (at least in this respect) once they've determined that doing so won't break their software. On Tue, Nov 26, 2019 at 10:01 AM Ken Stanley wrote: > > So long as the default behavior is to leave it available, I'm okay with > this. Any app > that relies on twig/twig, phpunit/phpunit, many symfony packages, > dompdf/dompdf, > etc relies on being able to use eval(). > --000000000000b5ab0c05984232a1--