Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117959
Return-Path: <deleugyn@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87270 invoked from network); 16 Jun 2022 05:54:46 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Jun 2022 05:54:46 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 8004D180384
	for <internals@lists.php.net>; Thu, 16 Jun 2022 00:42:42 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <deleugyn@gmail.com>
Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 16 Jun 2022 00:42:42 -0700 (PDT)
Received: by mail-io1-f46.google.com with SMTP id b138so667689iof.13
        for <internals@lists.php.net>; Thu, 16 Jun 2022 00:42:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=FqJiPlReeDj1wiCbBwmP2JjZfe+vfRGOGOliGn7i+gE=;
        b=AM/2TBMtBYDX/x23A1DefzLJVKm9NTJZB9RDLWoy8jCyyQZd/e9FhcD1M4ITnA6ECm
         Nb8mxNJLVq7mr2F1TEeAX98DhQwhfv2/EKoCpnuq8dv0YKuKA+oGz0xKVztLLDxOyD/+
         s1kINL23SexQpxVvW4Ofhx4hpCQU1ugGa1M/N0R5uC2ttUYZ61c/LkpQnu867I7u/Xua
         aPsH5HNoJJjMhENcJPahfX01A64nYU2XxH8aZpbW+jZWd3KyZhbd5vBIopu32q6+I5Sq
         NYWNGxYQ2JRv57FYouZD+OQL92XCe98M0rNPgiKiPREL1GDt2ZUgOVfk3XcJG4TLEaY0
         MrkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=FqJiPlReeDj1wiCbBwmP2JjZfe+vfRGOGOliGn7i+gE=;
        b=3DVEqpgbIlNG7CwpF24tkRzzgGj8P25yerH0FIoRdH+oXxj1PjW6mIIMiFhE/B+vqt
         hvKsvBWanGDZBh97olIPFrBABDIOTNkTMKt12oLxCUyTihykinpCmwafZP/W+at8ArCn
         fz2HgzmKOFGBzxpW4rVxGFmH69KcNVZyBu38BeM5/vz1DXdBYFzZix6hIJ010epdva3Z
         P2KQpDlDf1nUoo5GsPLBmNAix9LejwvnqPHo3A4mYwT4XfdqIyuC7bG52HaTCGR1A0GK
         zh/PBEJEKSdMufOAJB/nVp21LtSYEhA1xpGprzuiJO5wKh70HNAyKl2H3iK8782Q7Stl
         X6fg==
X-Gm-Message-State: AJIora8Y1YhxMiEqcmt58yhUPvW6ktC3Rfn3Fg4aqhAkZim+H9bvn0cv
	cGG1I20keQ73j81nP8n52K50ctFl2rx+22c4Izo=
X-Google-Smtp-Source: AGRyM1vYBX8eKUfZJMonjTxqncuzp3JEKzt1HNcJ0owc8sPQTHDu7+8XOhuPjcmGlKVjmVhF5mtDAjhhSnreedvJzp8=
X-Received: by 2002:a05:6638:33aa:b0:335:ae08:67ef with SMTP id
 h42-20020a05663833aa00b00335ae0867efmr1894193jav.55.1655365361253; Thu, 16
 Jun 2022 00:42:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAOfKkdRzoo7JuD07F8nkZBYvS5eDMiV2r6cNV-FgeLxBrdCsiQ@mail.gmail.com>
In-Reply-To: <CAOfKkdRzoo7JuD07F8nkZBYvS5eDMiV2r6cNV-FgeLxBrdCsiQ@mail.gmail.com>
Date: Thu, 16 Jun 2022 09:42:30 +0200
Message-ID: <CADK1yXJucrTg6ep4DBhsbBbsjgLDrN=LSRB9Seyw7_kN=irsdw@mail.gmail.com>
To: Pierrick Charron <pierrick@php.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000054c11505e18bc867"
Subject: Re: [PHP-DEV] Discussion about new Curl URL API and ext/curl improvements
From: deleugyn@gmail.com (Deleu)

--00000000000054c11505e18bc867
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Jun 16, 2022, 9:10 AM Pierrick Charron <pierrick@php.net> wrote:

> Hi internals,
>
> Since its version 6.62.0 [1], libcurl features a brand new URL API [2] th=
at
> can be used to parse and generate URLs, using libcurl=E2=80=99s own parse=
r. One of
> the goals of this API is to tighten a problematic vulnerable area for
> applications where the URL parser library would believe one thing and
> libcurl another. This could and has sometimes led to security problems [3=
].
> The new API is handled base and composed of 5 new functions [4] (and one
> more since 7.80.0 to get more verbose information upon error).
>
> I started to work on an implementation [5] to expose this API to PHP
> userland in the curl extension so that PHP users can benefit from it. My
> first reflex was to stay consistent on how the extension is currently
> working and do a one to one mapping of the new curl functions. I got
> feedback from both Ilija and Christoph saying that the API is, I quote, "=
a
> bit clunky" which I can't disagree with.
>
> For a long time, ext/curl worked with handles as "curl resources" and
> functions mapped to the libcurl functions, but since PHP8.0 "curl
> resources" were converted to opaque classes with no methods. So my main
> goal here is to come up with a solution for the new Curl URL API, but may=
be
> also to be consistent, make some changes to existing curl classes like
> `CurlHandle` to add methods and improve the current state of the extensio=
n.
>
> Here is the solution I would propose :
> - First of course keep all the current ext/curl functions as is not to
> break any compatibility (Seems obvious but just to be sure everybody is o=
n
> the same page).
> - For consistency expose the new Curl URL API as functions mapped one to
> one to libcurl functions :
>
> function curl_url(?string $url =3D null): CurlUrl|false {}
> function curl_url_set(CurlUrl $url, int $part, string $content, int $flag=
s
> =3D 0): bool {}
> function curl_url_get(CurlUrl $url, int $part, int $flags =3D 0):
> string|false {}
> function curl_url_errno(CurlUrl $url): int {}
> function curl_url_strerror(int $error_code): ?string {}
>
> - Add methods to the CurlUrl object to make it less opaque and expose an
> object oriented style API. I would keep it minimal and let userlanAd API
> provide higher level APIs as guzzle for example. (You can see the current
> implementation [5])
>
> final class CurlUrl implements Stringable
> {
>     public function __construct(?string $url =3D null) {}
>     public function get(int $part, int $flags =3D 0): string {}
>     public function set(int $part, string $content, int $flags =3D 0): vo=
id
> {}
>     public function getErrno(): int {}
>     public function __toString(): string {}
>     public function __clone() {}
> }
>
> - It would also be nice to add this object oriented API for existing
> CurlHandle, CurlMultiHandle and CurlShareHandle classes. For example the
> CurlHandle class would look like that (First implementation [6])
>
> final class CurlHandle
> {
>     public function __construct(?string $url =3D null) {}
>     public function setOpt(int $option, mixed $value): bool {}
>     public function getInfo(?int $option =3D null): mixed {}
>     public function exec(): string|bool {}
>     public function escape(string $string): string|false {}
>     public function unescape(string $string): string|false {}
>     public function pause(int $flags): int {}
>     public function getErrno(): int {}
>     public function reset(): void;
>     public function setOptArray(array $options): bool {}
>     public function upkeep(): bool {}
>     public function __clone() {}
> }
>
> As of right now I still have some unanswered questions like how should we
> handle errors on the new CurlUrl API ?
> - Throw `CurlUrlException` on both the procedural and object oriented sty=
le
> API (that's how current implementation works [5])
> - Throw `CurlUrlException` with the oriented style API, but return for
> example boolean/null on errors when user uses the procedural API ?
> - Always return null/booleans using both object oriented API and
> procedural API ?
>
> The same question applies if we add a new object oriented style API on
> existing classes. Current functions MUST stay unchanged but should we thr=
ow
> `CurlException` when the user uses the object oriented style API ? (That'=
s
> what I would do) Or should we return the same result from OO and procedur=
al
> API ? Should we make the new CurlApi consistent with that ?
>
> What are your thoughts about all this ? Any feedback on any of those
> subjects are more than welcome.
>
> Pierrick
>
> [1]
> https://daniel.haxhttps://
> github.com/adoy/php-src/tree/curl-object-apix.se/blog/2018/10/31/curl-7-6=
2-0-moar-stuff/
> <https://daniel.haxx.se/blog/2018/10/31/curl-7-62-0-moar-stuff/>
> [2] https://daniel.haxx.se/blog/2018/09/09/libcurl-gets-a-url-api/
> [3]
>
> https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF=
-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
> [4] https://github.com/curl/curl/blob/master/include/curl/urlapi.h
> [5] https://github.com/php/php-src/pull/8770
> [6] https://github.com/adoy/php-src/tree/curl-object-api


I understand why breaking changes would definitely be a no go here, but if
someone is adapting their code from procedural to OOP I would say they can
catch exceptions instead of comparing against false. To me it would even be
desirable. Any new code that didn't exist before show prefer throwing over
returning false, imo.

>
>

--00000000000054c11505e18bc867--