Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117001
Return-Path: <duesterhus@woltlab.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70247 invoked from network); 7 Feb 2022 15:42:00 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Feb 2022 15:42:00 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 75B0F1804A7
	for <internals@lists.php.net>; Mon,  7 Feb 2022 08:57:46 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS199118 195.10.208.0/24
X-Spam-Virus: No
X-Envelope-From: <duesterhus@woltlab.com>
Received: from mout-b-110.mailbox.org (mout-b-110.mailbox.org [195.10.208.55])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  7 Feb 2022 08:57:45 -0800 (PST)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [80.241.60.245])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4JsslC71gyz9sQg;
	Mon,  7 Feb 2022 17:57:43 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=woltlab.com; s=MBO0001;
	t=1644253061;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=a+e+I4pNTI3vnJaESpvxq7UmTfpv5M+bZcY7giKinmk=;
	b=aQoJtaGoNE7mnH2QuJQy8G+LjTjHUtZrObQKI0ewhoVEUX/R9MmRuzw8Fmn8kjgfyAwpyo
	pS+Sj/46BTeiMZiJqkmaEPWhbzHAIHv6wGNUH35EsjnzjsxZokBfi7EqEp4SUFEt9SBEb0
	MZWcTym/ny45AwTTE//NMZZvERqHyZRNQK4BO6V4zWkVE4f3BnMeyjfKBD1Rtc8obwlk6k
	Y6kBIEUp2NFbXT2ODOTuD4sDMVxQUqDzRU9BX/4y0/92gaognl06Vj/eKulkGReLe0PYTc
	Zo3CrRHwbVqoz6SG2wrWW1lQfTS5O8QONXGOvusdHXKZPjWPgDjqOsczDjHC2w==
Message-ID: <399b875f-8703-27f4-1b6d-01f78f53e41c@woltlab.com>
Date: Mon, 7 Feb 2022 17:57:37 +0100
MIME-Version: 1.0
Content-Language: en-US
To: Dan Ackroyd <Danack@basereality.com>
Cc: PHP internals <internals@lists.php.net>
References: <ded42b3e-3149-1192-0f86-07715fcb7a3e@woltlab.com>
 <CA+kxMuTVMeqVN1UFwau3eaVgLa2DKRKaErzSdFCKLw9v066mVQ@mail.gmail.com>
 <01c3082c-c69d-7337-64f7-8314ade305a2@woltlab.com>
 <CA+kxMuQnT137FHe5miAmNgv-ED+WeN=WFEkbe-RRXyKn8zzorQ@mail.gmail.com>
In-Reply-To: <CA+kxMuQnT137FHe5miAmNgv-ED+WeN=WFEkbe-RRXyKn8zzorQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] RFC [Discussion]: Redacting parameters in back traces
From: duesterhus@woltlab.com (=?UTF-8?Q?Tim_D=c3=bcsterhus=2c_WoltLab_GmbH?=)

Hi Dan

On 2/7/22 17:36, Dan Ackroyd wrote:
>> So basically all the other languages I researched do not provide
>> arguments within back traces.
> 
> Uh, that kind of suggests that providing arguments at all is a
> mistake, and that removing could be the way to go. I mean other than
> everyone complaining about the BC break.

Personally I wouldn't complain about the BC break per se, but about that 
making debugging harder :-)

> An awkward question; why is this hard-coding of the behaviour
> dependent on a new attribute the correct thing to do?

Reading through the RFC I concede that this is not (yet) explicitly 
spelled out. However the following sentence appears within the 
"Proposal" section:

> To reliably apply this protection for all types of back traces and all types of exception and error handlers, the redaction should happen when collecting the parameter values during back trace generation.

"reliably apply [...] for all [...] error handlers".

I've explained that in more detail in the podcast with Derick 
(https://phpinternals.news/97).

e.g. at the end of 1:05:

> But in any case, this exception handler will miss sensitive information because it needs to basically guess what parameters are sensitive values and which don't.

-

> PHP allows people to set_error_handler() to process errors how they
> like. Conceiveably, allowing users to set a custom function to redact
> data from stack traces would allow users to inspect and redact the
> parameters however they like. Why is adding a special attribute that
> is recognised by the PHP engine itself the right thing to do?

As explained above: Without having a standardized solution, redacting 
those arguments results in guesswork for the exception handler. A 
userland solution (e.g. standardized in PHP FIG) does not cut it, 
because then native functions will not be protected (e.g. ldap_bind).

I have made the following change to the RFC to hopefully make this 
clearer within the introduction:

https://wiki.php.net/rfc/redact_parameters_in_back_traces?do=diff&rev2%5B0%5D=1643972253&rev2%5B1%5D=1644252789&difftype=sidebyside

Please let me know if this is sufficiently clear, or if you'd like to 
see this expanded further.

Best regards
Tim Düsterhus
Developer WoltLab GmbH

-- 

WoltLab GmbH
Nedlitzer Str. 27B
14469 Potsdam

Tel.: +49 331 96784338

duesterhus@woltlab.com
www.woltlab.com

Managing director:
Marcel Werk

AG Potsdam HRB 26795 P