Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115311
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27685 invoked from network); 6 Jul 2021 08:10:27 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 6 Jul 2021 08:10:27 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A37D31804C9
	for <internals@lists.php.net>; Tue,  6 Jul 2021 01:32:10 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_00,BODY_8BITS,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  6 Jul 2021 01:32:10 -0700 (PDT)
Received: by mail-wm1-f49.google.com with SMTP id k16-20020a05600c1c90b02901f4ed0fcfe7so1629280wms.5
        for <internals@lists.php.net>; Tue, 06 Jul 2021 01:32:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding:content-language;
        bh=96/lcPfBhfjAkcmbW4fSlsj+TSkUY9uEQNbuq+CxZvA=;
        b=NsvZs6nDmyjG4DsfOfrSm1/swfcK2HU8PVzKbVqkElJ0DRlabWs+z15PzrzjPbZM0e
         7KHj02dN32Rwj/6ybAqG5FZbDDMkUL5ggqw6s9G8s4sqscwB5NvpJMNolz6aXX3FLg2j
         SQ7b5iuAAl9GaHmE34J7rH1a9OaFt7S8fur6/gS49snC8g/K4n414bpd8m8KvhKwXwwI
         0tnrDIJRAPA4y5bhYR4phjHuy30nJIFHTcAXVnexraiFfs98uqkenDb7i+mhzoNfvTMe
         LH3frJLDGL1RpuU3RHF7IgH+FvOfIxk0X3eXsdbsILZEV3MsHSTyZE6AUxM8IQXgCco4
         1HWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=96/lcPfBhfjAkcmbW4fSlsj+TSkUY9uEQNbuq+CxZvA=;
        b=oM2J/1ZdS4n+0PgDEOtFyShmHYTHiZgVS++hpvw9ro2BLaYlfLWGYz/Fh4NPictg66
         05wl7KL43ybbTLtCkyLAao8IvjOo3jjaRbOqUBPdQx8tmZBYm7JmoCexOzjiD4eAbB9U
         glyocCtw+PqzpTx7lGgk1ndMgaUoIrGCV8OBaVS9jkwXDyJ6V6umj1HDeVVFbPyKxP+Y
         LatPSEQntcihBvO1Yqb5q5qe0sbzeTYOAxmM2eJnW1b/UhIF30EX/ce512o6EmQSQzlc
         4rypVj+mKQmjXfPbMsS1t9GIENYlkLwpp8HAJQB0sSir4PZ4kJca6z59RsLrcqdK7KTI
         0nww==
X-Gm-Message-State: AOAM531E3DkozlQe5/v6fer0si74bIn2kXvgj4+aOcmSRG36TF1ibviM
	DUsEAmi4RvT3+IJs1G86ORg/8C4gunA=
X-Google-Smtp-Source: ABdhPJwZ4bEXwopQaYA8iqdfj3QSGZ2MLt88l5ORpXQG/ous07Y/GY4QOnRSYJ0iawFfdZKd4tA9UQ==
X-Received: by 2002:a1c:7515:: with SMTP id o21mr3526073wmc.65.1625560329120;
        Tue, 06 Jul 2021 01:32:09 -0700 (PDT)
Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37])
        by smtp.googlemail.com with ESMTPSA id 204sm16520156wma.30.2021.07.06.01.32.08
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 06 Jul 2021 01:32:08 -0700 (PDT)
To: internals@lists.php.net
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFPFaMJs7qvko=tfBsXuwCqMV3VqXL4TjO2aKWWPjrAicZzM9w@mail.gmail.com>
Message-ID: <782e08f6-d6a1-e1e7-b2d6-4706277a4d86@gmail.com>
Date: Tue, 6 Jul 2021 09:32:06 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CAFPFaMJs7qvko=tfBsXuwCqMV3VqXL4TjO2aKWWPjrAicZzM9w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: rowan.collins@gmail.com (Rowan Tommins)

On 06/07/2021 07:38, G. P. B. wrote:
> This is I think the main issue with the current shape of the proposal.
> This implementation will detect certain security issues, but finding the
> root cause for them is going to be rather complicated, as the concatenation
> operation is basically kicking the can down the road about the
> responsibility of checking whether or not the result is a literal.
> Whereas using a function like concat_literal() which checks that the inputs
> are indeed literals provides immediate feedback that the type constraint is
> not being violated.


I still don't follow this reasoning, for the reasons I outlined here: 
https://externals.io/message/114835#114868 and again later: 
https://externals.io/message/115037#115156

You can write your own concat_literal() function with the current 
implementation:

function concat_literal(string $a, string $b): string {
    if( ! is_literal($a) || ! is_literal($b) ) {
         throw new TypeError;
    }
    return $a . $b;
}

This does everything a native version would, and can be used in all the 
same places.

What it won't do, is tell you when you've forgotten to use it, and used 
the normal string concatenation operator - but nor would a built-in 
implementation.

Whether "$foo . $bar" is always non-literal, or non-literal only if one 
of its operands is, you're going to get an error about a non-literal 
string somewhere else in the program, and have to trace back to find 
where the "bad" concatenation happened.

Regards,

-- 
Rowan Tommins
[IMSoP]