Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114994 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 70155 invoked from network); 21 Jun 2021 22:35:49 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 21 Jun 2021 22:35:49 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 87F4A1804CC for ; Mon, 21 Jun 2021 15:53:53 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 21 Jun 2021 15:53:53 -0700 (PDT) Received: by mail-lf1-f43.google.com with SMTP id p7so32632001lfg.4 for ; Mon, 21 Jun 2021 15:53:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dSaF+r+gykIG9NI5IBb4AUcxUuNldRpTKwoU+NOJ9x0=; b=V/zvJxLYlEZmHi6U5xb7aUH6ma8Jk5/TQYiJI2+ry6uCYeLKQuzk8l6jJiBVlBn/Xx jE2jeaLkQC9LFcOlbEL4/vXVGvN16lGN+rYzKyEZfo/6S7Hje+216NF5ddRyyXDlg398 PzSdqE/AX8Gs7tMEmeMoWyLHZoxpUlE0Mp1AM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dSaF+r+gykIG9NI5IBb4AUcxUuNldRpTKwoU+NOJ9x0=; b=YbufrjAWW1zgjsn21dPzDb57EQl8N5JAc148EQscign9KC7scGqLLGFmTbKopCB5mM vQwBeppGRM4wHcgAiT5c9HdNDgzbPik4MlaEo21PLKXran9327SCeCiKK6wi8PsB1mpH 540v/hUO4BbPPvycp+yqn+t94h82rdFZgnZ31ZBlvbeWYAeKHGC2TomwBt5Oyx4/bSG9 NXp15nT2quoCt4zifRMjiUxAL3umTdQGhLIH+hseVWBdU05cpf24tc9HiDWdA01Bkuzh z5QlzpkMFB9Sp2gIzhM/hwBtEJaMJvtBniV3MQCMDjN6r0DqHXCo9bYSZ9hGH76iDXzM zHEQ== X-Gm-Message-State: AOAM530h+MYazcysF7Cy14g7R7LEMqXIJ36zgUFdoEQbbJ6A6FZ1DOUy T+ZcLtJiH+h6gbEpa2rNmemj1/+/APfVZIJpyAMiNF7aJWWm4Q== X-Google-Smtp-Source: ABdhPJyIijPlvFKFymcbTaaPmMSCUxVSXrNpanjf6cMcPNil7wE2F9sBunrOQ2wMlHIqAg4OQmCGB/2hYYdERenx4HE= X-Received: by 2002:a19:4949:: with SMTP id l9mr425574lfj.642.1624316031371; Mon, 21 Jun 2021 15:53:51 -0700 (PDT) MIME-Version: 1.0 References:

In-Reply-To: Date: Mon, 21 Jun 2021 23:53:40 +0100 Message-ID: To: Yasuo Ohgaki Cc: PHP internals Content-Type: multipart/alternative; boundary="0000000000000d9bb905c54e8c27" Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal From: craig@craigfrancis.co.uk (Craig Francis) --0000000000000d9bb905c54e8c27 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 21 Jun 2021 at 11:38 pm, Yasuo Ohgaki wrote: > Hi, > > The name "is_trusted" is misleading. > Literal is nothing but literal. > > > eval('$var=3D '. $_GET['a'] ); > > if (is_trusted($var)) echo $var; > ?> > > > Literals cannot always be trusted. > That=E2=80=99s explained in the RFC, under =E2=80=9CLimitations=E2=80=9D an= d =E2=80=9CFaking it=E2=80=9D=E2=80=A6 =E2=80=9CThat said, we do not pretend there aren't ways around this (e.g. u= sing var_export), but doing so is clearly the developer doing something wrong. We want to provide safety rails, but there is nothing stopping the developer from jumping over them if that's their choice.=E2=80=9D --0000000000000d9bb905c54e8c27--