Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115144
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37109 invoked from network); 25 Jun 2021 22:01:47 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 25 Jun 2021 22:01:47 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 796D31804F3
	for <internals@lists.php.net>; Fri, 25 Jun 2021 15:20:53 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 25 Jun 2021 15:20:52 -0700 (PDT)
Received: by mail-lj1-f169.google.com with SMTP id a16so14535211ljq.3
        for <internals@lists.php.net>; Fri, 25 Jun 2021 15:20:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:from:date:message-id:subject:to;
        bh=mfMiMAy294e1Q6ff6s3mKtnjO4unZ5DhvGWEjbfjJWQ=;
        b=V5ePdwtbznrWFdEOc4qTfU0FuROkm87SrUwUZsHYoZALtBVH94trCBxmITYB6tKvZH
         mNMjgEgIHhnUU+1h+eKslcbojQm5595DZbS9PWspt5Sd7m3qLANMAHPfcLHyyCWzqT71
         O0q98pF9XumIEJcfnKj8Udix/k3OjLL5ZCuVY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=mfMiMAy294e1Q6ff6s3mKtnjO4unZ5DhvGWEjbfjJWQ=;
        b=XdGZYVcX07O1+E3oVhWK0RWryFRlgGkuhmMKKHIIdiFddzyQR7wTAA6NY3QLgcijDS
         OtPWZTSNO/G1gbpNtVoFV/GSQSipCNTEpNFRoHvdz/IDAf8Rlalcrw4Vd4ocQyCISivv
         TPklVsNm1bjuVzeBGdC87bDJCsyRXo7ZVglB+P9Y7JY50b3x8f8V5a8MVPCRlFZz2yg4
         O7612oqvwOKZRiSrGDWKyXeORFtstmLVAQuYrlWKQk44pIHiWi4KMBfdhamwGcScSUEK
         8JxA1RQxMmgjxJjfa19pJ9ufTcWlYIjKZ8mUuuaE6yhKf0b/8YcHTTIJrHK0CV+5ZlRc
         0XjQ==
X-Gm-Message-State: AOAM532IikYf5tfXR02Y0aWNpHjgxbGLS+HGE8V/58v14+U18lw1rZwk
	uHL/vid1QtlbYmDv+jFM9RJf8SsdJ741dGHiGRGWZMUZfey1Cg==
X-Google-Smtp-Source: ABdhPJy8YBuTa/41PHJE+x+2InAhz2F28AJxx7ilXCnDzHUJPfQQBawgqLaGFfCN3MfXnwTWmi/E10pzClKtZfdhl0Q=
X-Received: by 2002:a2e:b618:: with SMTP id r24mr9696593ljn.48.1624659650947;
 Fri, 25 Jun 2021 15:20:50 -0700 (PDT)
MIME-Version: 1.0
Date: Fri, 25 Jun 2021 23:20:38 +0100
Message-ID: <CAFv4g+GCbRataTtCKSrej5yU259=hbjNxQVzZX+oXm_vh0z-TQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000060475d05c59e8dcb"
Subject: is_literal() is back
From: craig@craigfrancis.co.uk (Craig Francis)

--00000000000060475d05c59e8dcb
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Internals,

We're going back to the original is_literal() proposal.

https://wiki.php.net/rfc/is_literal

This means that integers, which we cannot flag if they came from the
developer, will not be considered as part of the "literal" definition.

This helps us avoid the naming issue, and trying to define a concept that's
a bit vague (strings from the developer, or integers from anywhere)... and
while I=E2=80=99m still of the belief that integers would help adoption, I =
can also
see the appeal of something that's easier to understand, especially for a
supermajority.

(My ideal solution would be to have a primary =E2=80=98is_literal=E2=80=99 =
vote, with a
secondary question of adding integer support, but I=E2=80=99ve checked and =
the
multiple-question system here is for minor implementation details only e.g.
names.)

But either way it=E2=80=99s important that we address how Injection Vulnera=
bilities
occur. This simple flagging-and-checking literals system that has been
proven to work in other languages, will give libraries an easy way to check
that certain sensitive values have only come from the developer.
Considering we need a two-thirds majority vote, we do need to keep this
straightforward, avoiding any concerns over the variables contents.

Thanks for all your feedback so far, and I hope you can continue to show
your support for this on here, to show RFC voters this should be added to
PHP.

Craig

--00000000000060475d05c59e8dcb--