Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115405
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11320 invoked from network); 12 Jul 2021 12:53:53 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 12 Jul 2021 12:53:53 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id CA7531804D8
	for <internals@lists.php.net>; Mon, 12 Jul 2021 06:17:05 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-ua1-f41.google.com (mail-ua1-f41.google.com [209.85.222.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 12 Jul 2021 06:17:05 -0700 (PDT)
Received: by mail-ua1-f41.google.com with SMTP id n61so7191040uan.2
        for <internals@lists.php.net>; Mon, 12 Jul 2021 06:17:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=DEjhuzcfkZg35tTd4vj3HA5OTKU+AxskFTjkhVP48Ss=;
        b=lYXDZrB9Hrc+6VFFFrx2Xk6Ehxbj3zLuKFRXBJw/7h50N8vOBoGIUDieSkR7oGlqsy
         OZoEC13Q7UklbPqik6CPcmJyP/Ir5H5hGDLezE1/3zJnwRBrH/EUExbmlEyZyxW75aUS
         7HLpfUcUuUrG05ffSCiVjxzyUVmBsX+15C6kEOvbAfgJwZxLpI6pBNy9EeYYq5nmnz6h
         zGJoiOtRpNd+OGEeG96GNBx04FbES/AeSkCCEsO5SPSzaeGyUKSRKLkzLtszsfhJbH70
         1yi9A+cJ8vi0Fu7aiGfqtLUrHWCKhlteKNlU6jJMK1+yK+9TnPuZYSZkZETFIUvJ9qhe
         Lbfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=DEjhuzcfkZg35tTd4vj3HA5OTKU+AxskFTjkhVP48Ss=;
        b=jkYRHPHlN7rZX+tU4U6AUVN1cp51XSfTG6BrkDoiud25Ig97oZ0wKOsqYqXN2xG1gH
         Savp9D4OPtzN0mccJs6yeVqfqcC+Pb3mYS1iYqS7jd+EwlhWD5v8nHt7EhMV4DpKbryR
         lRO0ZN5kEllfGpdZJ35sWaBw5cdIt4imIv5rk57+y7mG51qLA1LmmsloUqxQlBkhSSiH
         q/rfpvcsvTWeV/peHzW4TjNiyNT+QNQuKnSzTD/ezlPhy3Q+B5pjbgRHRgM5B9LjNx5T
         ULG8zeOkkyiMnan/pf8JGr6Yr7KGKH6yUu6PfBXqgxMp2gkU8UKTGzQYz7Nj/Po9B2af
         +8Pw==
X-Gm-Message-State: AOAM5311QSHMtFVDZ7ef14TQdkXnP1tcjKb+NVswWtmlty9bOHpxg4II
	xQmY3XmYp3gHMSRsnFVapBO5ecej1222xYbvR9Z1NQ==
X-Google-Smtp-Source: ABdhPJypu5Q58hIIsf5cq4ATFXgbvE7UZO0S53X/8YBxnz4GWWXygfmgiun5kD2yYH2nYA/WclUkZWvalawN4hPyYZA=
X-Received: by 2002:ab0:2381:: with SMTP id b1mr48641321uan.93.1626095824208;
 Mon, 12 Jul 2021 06:17:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFPFaMJs7qvko=tfBsXuwCqMV3VqXL4TjO2aKWWPjrAicZzM9w@mail.gmail.com>
 <CAFv4g+G85cfjykjKRbOwWg+KXctZ1u93Onu5cLh1bNrtQ0=DPg@mail.gmail.com>
 <CA+kxMuQkBevK5k-Khhpo3tFfHXeSrM+-GCOWRoZoKJ8Y=_mV4Q@mail.gmail.com> <CAFv4g+E=tfzKEXQP64DPNYgMBVo1NbvWBOD2LZVKwsGkw_d=Vg@mail.gmail.com>
In-Reply-To: <CAFv4g+E=tfzKEXQP64DPNYgMBVo1NbvWBOD2LZVKwsGkw_d=Vg@mail.gmail.com>
Date: Mon, 12 Jul 2021 14:16:53 +0100
Message-ID: <CA+kxMuQe3hmNiZe6XzROfPCzASDHBTWk3G7ZrwT3=eSuzGTC4A@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: "G. P. B." <george.banyard@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: Danack@basereality.com (Dan Ackroyd)

On Mon, 12 Jul 2021 at 02:09, Craig Francis <craig@craigfrancis.co.uk> wrot=
e:
>
> you can choose not to use string concatenation ... allowing anyone to cus=
tomise it to their needs

Please can you explain how:

i) An individual programmer can enforce that they don't accidentally
use string concatenation for stuff that is used in a security
sensitive context.

ii) A team of 50 programmers can enforce that they don't accidentally
use string concatenation for stuff that is used in a security
sensitive context.

iii) A library can enforce that string concatenation isn't used in the
params passed to it.


> and doesn=E2=80=99t improve security in any way,

It prevents issues from being able to make it through to production.
But the main reason would be to reduce the cost of using this feature
long-term.

> you can choose not to use string concatenation (I haven't needed to).

Wait....what?

Is your position both that preserving literal-ness across string
concatenation is required, otherwise this feature is too hard to use,
and at the same time, you've not needed that in your own applications.

Is that right? Because if preserving literal-ness across strings
wasn't required for you...why would it be required for every other
project?

And to be clear, I don't think it's required.

I think by listening to feedback from people who aren't sure it's a
good idea, who said "this is a good idea but only if it's really easy
to start using it" that this RFC has been watered down from the most
useful proposal. At the core, there is a good idea behind this RFC,
but the set of trade-offs chosen just aren't the right ones, and
aren't the "proven" trade-offs made at Google.

cheers
Dan
Ack