Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114956
Return-Path: <weirdan@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6852 invoked from network); 18 Jun 2021 14:30:31 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 Jun 2021 14:30:31 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2409C1804CC
	for <internals@lists.php.net>; Fri, 18 Jun 2021 07:47:45 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <weirdan@gmail.com>
Received: from mail-io1-f43.google.com (mail-io1-f43.google.com [209.85.166.43])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 18 Jun 2021 07:47:44 -0700 (PDT)
Received: by mail-io1-f43.google.com with SMTP id o5so5504218iob.4
        for <internals@lists.php.net>; Fri, 18 Jun 2021 07:47:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=AvPPih7DmxSTroKdQwqsWjVi/TZVaG8YKRK9oADmsUU=;
        b=qj9tLDUlYOXFjVVNXr8QPYtFnQDYvuUXhOlbDVywz4V+V6Rlm6uyO31BDJg1M0rw2B
         nh+QNgrNC0JcFhmRY/ATiovRAY3Y9uCiJm3Et+xRxpJOFnL+Midr2mvDleGUjymha7dX
         VOut2JWyJGcC49jIqXyrmGjr6F/UjqMjiP5DVUO6zqzfY8CWQEsny9+4ZhJaTVLhJxKB
         G3MEzF3fdWSXPIm45JVebcPvyTn6IBYnQfQD2HXcdxLkQoSR7QT8fqj9kFXyXul8pd24
         AU8jim0BaZH++5cU/Ea3PW75Z1fc7VcgAkTEV6yDYtLjiK7rvRLll2SLCQT46wjYawj8
         RQdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=AvPPih7DmxSTroKdQwqsWjVi/TZVaG8YKRK9oADmsUU=;
        b=N7ttxdXk5nem01+kxoNJIxBayFhkXWHvn3MhdQnTjFXfzYKt+HBu7rsUQorwe7qPyE
         WwUs36rp4msqZ1wSQSRc6I7Nrl5Xv6LC6P1haDGY3b5e9wSS4DJPKCkMP3pk3EViwKhF
         oVFwOqn2p4EEfRq+By09VvRD5z0A/iUhi7lXJBUN33Dto7vbD+QE6pmJNuZDGgt4ZDVX
         VO3unv+SSlYXB7GMKr4wFnDti0YA6fXe881WzrMdg7JfEX3wazAjQzZY0hHPASQPYuLU
         3xAP2/2Des9SOu8wkvm6gCvFimIWt6U4wzZK2TuIoyYPoQ50LocW3MA424TBJgxxZRU8
         AprA==
X-Gm-Message-State: AOAM531NGoUkuJzzSxTgZfPqKNsmQly3QdZvy/1dea4VB1oszCMFh7JE
	7s7pIdgasWQsSbXcwXJbbuQSGSNCaazRRGqtZwU=
X-Google-Smtp-Source: ABdhPJw4IXCJDs5OTqwf591Ixpdzh6a7wBw4OIOMUZ9adRv8HzujKV2gIo8MC55YG3ukIUBaCHEW6HJywJsvzhEafi0=
X-Received: by 2002:a6b:ef07:: with SMTP id k7mr8601428ioh.16.1624027663134;
 Fri, 18 Jun 2021 07:47:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
 <CAFv4g+GYwH-nQ8bLGbm=ThARghGUG5hMpw7W5SjMnSPMTom7+g@mail.gmail.com>
 <CAFv4g+GA9y62phk1TB8Z9EakpAXwmOa5pGxT1pdBVZwkCNxsVA@mail.gmail.com>
 <f9c70ab3-3218-6fc0-06b3-4041f3f78cd4@processus.org> <CAC5V6gi_U-ZHHbYj_MvOw_ifp5hCwnQt6+A3pmS==UDAKO74Yw@mail.gmail.com>
 <d221707f-7382-479e-6752-d9661f79a303@processus.org> <CAFv4g+FULOqtzJk20p6a_tBWZMOpLJEhyrwn95hGUTrWwOMC2A@mail.gmail.com>
In-Reply-To: <CAFv4g+FULOqtzJk20p6a_tBWZMOpLJEhyrwn95hGUTrWwOMC2A@mail.gmail.com>
Date: Fri, 18 Jun 2021 17:47:16 +0300
Message-ID: <CA+hqhpe9xf6=F0X0oeUw1mP9sotax0365gJoDbEqRb9e1YOP_w@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: Pierre <pierre-php@processus.org>, Guilliam Xavier <guilliam.xavier@gmail.com>, 
	PHP Development <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Re: [RFC] is_literal
From: weirdan@gmail.com (Bruce Weirdan)

On Fri, Jun 18, 2021 at 4:53 PM Craig Francis <craig@craigfrancis.co.uk> wrote:

> While philosophically more pure, there is actually no extra security
> benefit for excluding integers.

One would be potential denial of service prevention (e.g. with enormous `LIMIT`
value where only a limited set of ints was intended, like
"Items per page: 10, 20, 50, 100"). Another would be preventing abuse if you
used some integers like role IDs for access control. Using slightly
modified Matt's example:

```php
    function f(array $allowed_ids) {
        //....
        $query .= 'WHERE `foo` IN (' . implode(', ', $allowed_ids) . ')';
        //....
    }
```

Here you really *don't* want $allowed_ids to include user input.

Overall I think allowing ints in literal concatenation without
tainting the result as non-literal
is a mistake. It would either prevent implementing proper literal int
type in future, or will make
it inconsistent (where non-literal int would be considered literal by
`is_literal()` for BC reasons).

Personally I would prefer limited applicability today that would not
prevent future consistent
implementation.

BTW, Psalm already distinguishes `literal-int` from `int` and
considers the result of
literal-string + int concatenation a non-literal string:
https://psalm.dev/r/59ad602688
This may mean that Matthew's point has been misinterpreted.

-- 
  Best regards,
      Bruce Weirdan                                     mailto:weirdan@gmail.com