Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115132 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 29582 invoked from network); 24 Jun 2021 20:06:52 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 Jun 2021 20:06:52 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 532A51804D8 for ; Thu, 24 Jun 2021 13:25:39 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com [209.85.221.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 24 Jun 2021 13:25:38 -0700 (PDT) Received: by mail-vk1-f181.google.com with SMTP id n131so1603578vke.1 for ; Thu, 24 Jun 2021 13:25:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=basereality-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DXrRV26X1XoCpbQY0Pl/bEswO9zRVQ1kzpaVf6iEKZQ=; b=mg/edtN7/FMg7HgbNNGWym8PsxaZXivQiNlEW1ttf100aVavllb4H4zgTiM4EENhjn oU5MJhjz8YjB29+COCH8NX0bwjCugsFxKh0nnuD6XIYN+jtHK1vZoqbWjVe8Oox7jTu+ ZbmwPVmkJl2E8LIDtyBxxktzwbdXE5aOMDxhHvdmhXy/WNstUWyCos2SDVk+oIWLGkYv l0SFvRGKQFg44RWwofmssWRMrYgHGmZmLzeJNvzV4gHy5bHyR4x75FgDK5uVhLVo1tZO 7+Fi3e5JqVOPh3KRDf0St+mVTrlnPFpbSzYlU/Txi3FilwzIr5LyxAdxs0PQNG1oqPjV 0w+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DXrRV26X1XoCpbQY0Pl/bEswO9zRVQ1kzpaVf6iEKZQ=; b=qtCexUD1lTG9lhnnrGE2+DZ23Zyr3M6tnu0AGX4uMLsJ0sjsl1fU+yffacxwSg7UfQ yXNg9AVUUfBxM5yBSI6T2DDw2ExN60EfGIK91bFgLvoawLcULvKK18DCrDN/SqQktd6h 5r8wa6VeNg/fOwa0C3sHTu3t42YjoL4VrZPTyoSEaNS961JwnuLBemmIKlt91pKetkvu PL0yFj3REyAxEMd1XziKbLbS9m++X1aMfUMLCmuoArCL/91F4UiBzPLdBmLIo+43l8WQ Fl/+PPfzHzJ26DIqDxcoBaw6gYpUzqZ1E9vk7TsoHCGzrZnXDvTvnFeduhjEIeeMUhGH uIjg== X-Gm-Message-State: AOAM531EeJDNB3Xy3Z4KsYjp3ymXbRxuzhpT6hBlcvzXbTtYtqNm1pNK JBi+44bMpdFL17DjnWA3VW5iM5pOoab76ONTNzQoXw== X-Google-Smtp-Source: ABdhPJy489/6ztbfaZ+tG1LjANist+pvluiiPKVwtYWo9ArE0F/N296DiLySlO7P1jVlEquMCL1tJXTKiMDpXDNug98= X-Received: by 2002:ac5:cbc4:: with SMTP id h4mr5032347vkn.10.1624566336563; Thu, 24 Jun 2021 13:25:36 -0700 (PDT) MIME-Version: 1.0 References: <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <4DE5E2EC-26D6-4D2C-95A9-B843B440EE87@koalephant.com> <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com> <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net> In-Reply-To: Date: Thu, 24 Jun 2021 21:25:25 +0100 Message-ID: To: Joe Watkins , Craig Francis Cc: Stephen Reay , php internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted From: Danack@basereality.com (Dan Ackroyd) On Thu, 24 Jun 2021 at 19:12, Joe Watkins wrote: > > we're not > talking about a function that protects you from all possible security > concerns or bugs. I know. We're talking about something that is meant to protect programmers against silly mistakes. And this RFC doesn't do that. It allows silly mistakes to slip through and make it to production. As per https://news-web.php.net/php.internals/114858: > Assume that both UserPreferences and getInfoPanel code is covered by > unit tests. The developer who made that change would run the tests, > see the tests pass and then push their code live. At which point, it > would cause an error in production, as the string returned would not > pass the is_literal check. I'd really like anyone who is promoting this RFC to answer the question from https://news-web.php.net/php.internals/115010 : > Please can you go into some detail about what you think people are > meant to do when they detect a non-literal used where a literal is > expected? There is a whole load of hand waving going on of "you can protect yourself!" but then no detail of what this RFC proposes people actually do, which means people can't evaluate whether it's worth adding or not. I know not carrying the literal flag through string concatenation would make this slightly harder to use. But that would come with lower long term maintenance, and less mistakes getting through to production. For security concerns, that seems a good tradeoff to make. I'd also quite like an answer to the following: > Why are you prioritising speed of adoption, over reducing the cost of > using this feature for projects over say the next 5 or 10 years? I think this feature should be of most value to teams with large code-bases, where maintaining the code (and figuring out security problems) has a much higher cost than for small code-bases, where this feature might not deliver much value. But by carrying the literal flag through on string concat, that results in it being annoying to use for teams with large code-bases....which seems self-defeating. cheers Dan Ack