Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116759 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 6791 invoked from network); 2 Jan 2022 10:59:10 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 2 Jan 2022 10:59:10 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id CFC95180089 for ; Sun, 2 Jan 2022 04:05:50 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 2 Jan 2022 04:05:50 -0800 (PST) Received: by mail-wr1-f44.google.com with SMTP id k18so27945755wrg.11 for ; Sun, 02 Jan 2022 04:05:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:subject:user-agent:in-reply-to:references:message-id :mime-version:content-transfer-encoding; bh=RpuWblOkRgd9/70BPXD2Z/JbAHL3oWw2GdwM9k1jr+A=; b=djTckIE8I6nvipwNOA4W0KmOX71k2vzHMji5O13zYv4Cx6YQHMnB1lZTsgWmVlUpiT H6LfWbt3eS4HaTRVkOqDhUKyKNfJHmfMb6AMYL75FYVreRQ1wIF7KFqJqdnlBlD14dxp SDLtnZHzD3Zu36GC8Tj4fBdJsVMMsJm0flt6+wP7q5iEaJGcnLD1Q27+9aZhxqh42SMF xx77msfXeJo7PxC6U7vfHtWr6tdaPkphrxuXW4vL4O+wSvcNdks6h+/aSiUU9HcuIe22 aS2mQ0I7WscZY0+TEAC7rs478bssiFDkVY5ltv8bbtzAaiW9gP9PrGrqTQiEz5F9O8s3 OOBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:user-agent:in-reply-to :references:message-id:mime-version:content-transfer-encoding; bh=RpuWblOkRgd9/70BPXD2Z/JbAHL3oWw2GdwM9k1jr+A=; b=OkO+sHd4b5OamQP6xe8mzv4L8K5lvFaaO84R5tYdEamD9iDe5vtLtfwSVresuvPJuu 8b4PWg4w7yfXIE2j9GInICCXmTqKZOjJRsO8+b0mrG+5K9TuDB9uemF3Edf+2jFy9Q0s 7IFr7sgrHs1bcbPqZyuI4lR8fsAJ9YenK7fzz7upaXyRnLjknHlvQ8c/EMb3XOqJg88k SFoLJE4hPePp8AYcmfRWNNV7QYhFGUUQZdf4vPPWbpvrE4USRDRspbbNG/AusiZNXj3s +Kzw/6FXSByCxDpsnTsd9woq+V6ifl0Y8WHe0Qo/JJyYqVVKZqJNrM0BIWka5PS+ghbl OpKw== X-Gm-Message-State: AOAM530SBcJIo5O5z2R8eNBMwfJYiub5O177SV4erKiHpgK170tOG1T/ FAsb+x3xTajyzm58qXCpvHhIJh/vUBA= X-Google-Smtp-Source: ABdhPJwHNO2QS7tAqqSmHb2D2U3GYsYp67enGaVU+cGNIa+5RZG+yDm++s2dM/I4jc4ttSplX+oB/A== X-Received: by 2002:adf:9c85:: with SMTP id d5mr34774314wre.374.1641125149123; Sun, 02 Jan 2022 04:05:49 -0800 (PST) Received: from [127.0.0.1] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37]) by smtp.gmail.com with ESMTPSA id e12sm34460583wrg.110.2022.01.02.04.05.48 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 02 Jan 2022 04:05:48 -0800 (PST) Date: Sun, 02 Jan 2022 12:05:45 +0000 To: internals User-Agent: K-9 Mail for Android In-Reply-To: <1641095231.967164658@f750.i.mail.ru> References: <1640910093.890171965@f721.i.mail.ru> <1641095231.967164658@f750.i.mail.ru> Message-ID: <2DC31ED4-8C27-4ADF-9946-8369C6E0A42F@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: =?US-ASCII?Q?Re=3A_=5BPHP-DEV=5D_RFC=3A_Stop_to_automatically_cast_nu?= =?US-ASCII?Q?meric-string_to_int_when_using_them_as_array-key?= From: rowan.collins@gmail.com (Rowan Tommins) On 2 January 2022 03:47:11 GMT, Kirill Nesmeyanov wrote: > >I just gave an example of what at the moment can cause an exception in an= y application that is based on the PSR=2E It is enough to send the header "= 0: Farewell to the server"=2E In some cases (for example, as is the case wi= th RoadRunner) - this can cause a physical stop and restart of the server= =2E Any library where a crafted HTTP request can cause a server shutdown has a= bug which needs addressing right now - possibly more than one, actually, a= s it implies error handling is leaking across request boundaries=2E A chang= e to the language applied in the next major version would fix this some tim= e around 2025, once people start adopting it=2E A workaround in the library= itself can be applied within weeks=2E I already gave a simple solution that such libraries can apply right now, = with very little chance of negative impact: sanitise headers more aggressiv= ely than the HTTP standard requires, as Apache httpd does, in this case dis= carding any header containing only digits=2E This is likely to be about thr= ee lines of code inside a loop preprocessing raw headers: if ( ctype_digit($rawHeaderName) ) { trigger_error("Numeric HTTP header '$rawHeaderName' has been discarde= d=2E", E_USER_WARNING); continue; } If I was the maintainer of such a library, I might consider even stricter = validation, considering what seems like an accidentally broad definition in= the HTTP spec, and the possibility of an application receiving even more e= xotic characters if processing raw TCP traffic=2E The idea of an array_keys variant or option that forces everything back to= string seems like it might be useful (and easy to polyfill for old version= s)=2E Changing such a fundamental language behaviour in the hope that it wi= ll fix more code than it breaks is just not worth it=2E Regards, --=20 Rowan Tommins [IMSoP]