Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117376 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 69592 invoked from network); 18 Mar 2022 18:17:18 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Mar 2022 18:17:18 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5121C1804F8 for ; Fri, 18 Mar 2022 12:42:50 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 18 Mar 2022 12:42:49 -0700 (PDT) Received: by mail-ed1-f48.google.com with SMTP id b24so11394615edu.10 for ; Fri, 18 Mar 2022 12:42:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xgnOXeJHgYNyzGpFROyHPQPsei1dTdrzbhxkyBNu60A=; b=lB047doynjux64ZWP5QjtekmdGEvQ1OS8wZjznPeKjKoNat1YX4B0ywAdK0XEr7Vm0 BH6GkEqo0EXh2gmgeiiFyZkM+Hr2YDwxgrTZ9L944FX4uUYdHsU3h6yf26EQ/Z8zIbOb v9lCtBZHWrIKe81KBsMY2NCGtd6LyeBZEuztsLxCVby9+1V476J4uSf61436kcIwSVyD yB4LVAuL8WfhEsYc48OK19yY6KCbMmUe2Km7ohTXIzIC8zz9pv0KV3VkjTopsH78+IfR k7vzSJFQF+lXF4kF0gSuKEbDFc0r/uSEmKWDWPxcAbcyjNR1DqFP+Zzo6gRB3YvfqXF6 RMiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xgnOXeJHgYNyzGpFROyHPQPsei1dTdrzbhxkyBNu60A=; b=DX9UjCP/aI83eNwOTQ2PCpjHoBB3SED3RO1SdL1gY5V1uLKhFb3nOaVUe5yzkGLrKC eFOdHKZXP53HuQ1ELfN9tnO/6giXu33o6NnWLqWfoxOS2Tg5zf9S/dKQemGljHbc6A// 76CgA0nnidyYhsNxEAaZ9r+5ae5cLZq0Ssnr2s/LbrS3LIOgSW2Izm3aGJRT8rWENkxj sd5QQ9pv5BA6yK6/akGm9cYnN8B7/AyUaGuIlN8IbrCbFUJti9or0URUSWYfprw4Naef XRex6Cc4UXcD7H2I34vZbPBHJPctK4wKgv6osdyBHqHbZBbFRr/bUQ44NBC3lEt3Ue67 c3Ig== X-Gm-Message-State: AOAM532Izp0RkQrNNrvVnyjnQFwVIiOrjuekPCshhIg4GgUgXJMrEmmY oUOthzN+N4vqWtCmscx6esD4XzEP+ATRig== X-Google-Smtp-Source: ABdhPJwtjKuPAlGwew6YohPjnFgN6NZhO0IG67UPyEDT7ltmACCTqma/PB1hNJRMkHN5gLphZk1k4g== X-Received: by 2002:aa7:c30f:0:b0:419:2af:4845 with SMTP id l15-20020aa7c30f000000b0041902af4845mr7388028edq.296.1647632568495; Fri, 18 Mar 2022 12:42:48 -0700 (PDT) Received: from smtpclient.apple ([89.249.45.14]) by smtp.gmail.com with ESMTPSA id p23-20020a17090664d700b006db59e6a243sm4117904ejn.53.2022.03.18.12.42.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Mar 2022 12:42:48 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) In-Reply-To: Date: Fri, 18 Mar 2022 20:42:46 +0100 Cc: Pierre , Chase Peeler , Theodore Brown , Tobias Nyholm , Ilija Tovilo , PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: <6FE537EC-1159-40C6-BFE0-DDF854084572@gmail.com> References: <4AC60E84-B2AD-43F4-9B72-92604FC7BD41@gmail.com> <73550eae-370d-115f-e440-4889e42dbc74@processus.org> To: Paul Dragoonis X-Mailer: Apple Mail (2.3696.80.82.1.1) Subject: Re: [PHP-DEV] [RFC][Under discussion] Arbitrary string interpolation From: claude.pache@gmail.com (Claude Pache) > Le 18 mars 2022 =C3=A0 18:49, Paul Dragoonis a = =C3=A9crit : >=20 > I think the original goal of this RFC is to make PHP more expressive, = and > less clunky (look at Jav). This is a good goal and one much desired = by the > community, but I think the approach here isn't the right fit or way to > achieve it >=20 > Writing code in strings is a DX nightmare, and static analysis = challenge. >=20 > PHP is improving onto a more verbose, typed, but exprsssive language, = and > this change would make that harder. >=20 > I'm also thinking if this could become a LCE/RCE vulnerability in a = type of > eval() situation. Not a huge point but just an observation. >=20 > Happy to re evaluate a new approach to solve the same problem that = doesn't > involve coding inside strings. Although I agree that code execution in strings is not a great idea, it = should be noted that this is already possible today, so that this = proposal does not add a new capability. Indeed, the proposed syntax: "{$:/* arbitrary expression here */}"; is equivalent to: $expr =3D fn($_) =3D> $_; "{$expr(/* arbitrary expression here */)}"; =E2=80=94Claude=